16 matches found
CVE-2026-47324
ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting XSS in multiple attributes of students and teachers objects. An authorized attacker e.g., a teacher or administrator can inject malicious JavaScript that is subsequently executed in other users’ browsers...
EUVD-2026-34093
ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting XSS in multiple attributes of students and teachers objects. An authorized attacker e.g., a teacher or administrator can inject malicious JavaScript that is subsequently executed in other users’ browsers...
CVE-2026-9412
Technical details about CVE-2026-9412 are not publicly available in the provided documents. Monitor sources for updates on affected components, impact, and remediation.
CVE-2026-9412 SourceCodester Indian Invoicing System Backend Endpoint access control
A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be...
CVE-2026-9412 SourceCodester Indian Invoicing System Backend Endpoint access control
A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be...
PT-2026-42983
A vulnerability was determined in SourceCodester Indian Invoicing System 1.0. Impacted is an unknown function of the component Backend Endpoint. Executing a manipulation can lead to improper access controls. The attack can be launched remotely. The exploit has been publicly disclosed and may be...
CVE-2026-42461 Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full...
GHSA-JRC5-W569-H7H5 phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ
Summary A review of phpMyFAQ-main uncovered an authorization issue in the admin-api routes. Several backend endpoints only check whether the caller is logged in. They do not verify that the caller actually has backend or administrative privileges. As a result, a normal frontend user can access AP...
GHSA-FHRF-Q333-82FM CI4MS: Blogs Categories Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Stored DOM XSS via Blog Category Title Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Category Title in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog categories. An...
CVE-2026-23754
D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary userid value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credentia...
D-Link D-View 8 security vulnerability
D-Link D-View 8 is a comprehensive network management software developed by D-Link Corporation. Versions of D-Link D-View 8 2.0.1.107 and earlier contained security vulnerabilities. These vulnerabilities were caused by improper access control at the backend API endpoints, which could allow any...
CVE-2026-22236
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the...
EUVD-2025-36366
Landlord Onboarding & Rental Signup introduces the landlord onboarding workflow and rental signup system for VivaTurbo Rentals & Property Services. In 2.0.0 and earlier, a vulnerability was identified in the TurboTenant property listing activation workflow that could allow unauthorized access to...
CVE-2025-62714
Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints e.g., /api/v1/secret, /api/v1/service did not...
Bykea: Bypassing Bronze Partner Wallet Restriction to Accept Trips with Negative Balance
The vulnerability allowed Bronze-tier partners with negative wallet balances to bypass platform restrictions and accept trips. By chaining three backend endpoints, a negative balance driver could reset their availability and successfully submit bids, enabling unauthorized access to trips despite...
CVE-2023-33282
Marval MSM through 14.19.0.12476 and 15.0 has a System account with default credentials. A remote attacker is able to login and create a valid session. This makes it possible to make backend calls to endpoints in the application...