105 matches found
CVE-2026-43918
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...
CVE-2026-52781
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the HTML sanitizer grants elements unrestricted data- attributes via :data wildcard. An attacker injects data-controller="poll-for-changes" into a work package description, causing Stimulus.js to mount ...
CVE-2026-48505
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the writer field's link and email marks. An attacker can execute arbitrary JavaScript code in the context of the authenticated user's browser session by injecting a malicious link and tricking the user into...
CVE-2026-45173
The CVE concerns Idira Identity Browser Extension for Chrome, Firefox, and Edge, with versions prior to 26.8.1. A flaw in origin validation within internal web-page verification routines could allow a remote attacker to trigger unauthorized application interaction or execution parameters within a...
PT-2026-47017
Name of the Vulnerable Software and Affected Versions Termix versions prior to 2.3.2 Description Termix is a web-based server management platform providing SSH terminal, tunneling, and file editing capabilities. An OS command injection exists in the "/ssh/file manager/ssh/resolvePath" endpoint. T...
CVE-2026-49001 Cross-Site Request Forgery (CSRF) vulnerability in ZTE ZXUniPOS NDS-LTE product
Cross-site request forgery CSRF vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampering with configuration data...
CVE-2026-44451
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...
CVE-2018-25363
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from...
CVE-2018-25363 Twitter-Clone 1 Cross-Site Request Forgery via tweetdel.php
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from...
CVE-2018-25363
CVE-2018-25363 – Twitter-Clone 1 CSRF : The vulnerability allows remote attackers to coerce authenticated users into deleting posts by crafting hidden HTML forms targeting tweetdel.php with tweet IDs and auto-submitting them. The issue arises from a cross-site request forgery that can delete arbi...
EUVD-2018-21887
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from...
CVE-2018-25363 Twitter-Clone 1 Cross-Site Request Forgery via tweetdel.php
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from...
CVE-2018-25363
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from...
PT-2026-43216
Twitter-Clone 1 contains a cross-site request forgery vulnerability that allows remote attackers to force victims to delete posts by crafting malicious HTML forms. Attackers can create hidden forms targeting tweetdel.php with tweet IDs and automatically submit them to delete arbitrary posts from...
Linkwarden 跨站脚本漏洞
Linkwarden is a self-hosted collaborative bookmark manager developed by Linkwarden OpenSource. Versions of Linkwarden 2.14.0 and earlier contained a cross-site scripting vulnerability. This vulnerability stemmed from the archive upload endpoint accepting HTML files without cleaning JavaScript...
CVE-2026-42455
Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In versions 2.14.0 and prior, the archive upload endpoint POST /api/v1/archives/linkId?format=4 accepts HTML files text/html without sanitizing JavaScript content. When the archive i...
Missing Authorization
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the browser interaction routes process. An attacker can access unauthorized internal or external resources by bypassing policy enforcement through existing...
EUVD-2026-25348
A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continu...
SenseLive X3050 代码问题漏洞
The SenseLive X3050 is a data collection and environmental monitoring device designed for IoT scenarios by SenseLive Corporation. The SenseLive X3050 has a code vulnerability that stems from improper execution of the Web management interface’s session lifecycle. This issue allows authenticated...