73 matches found
EUVD-2026-41678
A vulnerability was found in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to 95dfa8cebbb87ab46ae450643a07241274a74dce. Affected by this issue is the function setReferrer of the file application/core/MYController.php of the component Trusted Backend Interface. The manipulation of the argument hr...
CVE-2026-14632
The CVE covers a vulnerability in kirilkirkov Ecommerce-CodeIgniter-Bootstrap (up to commit 95dfa8ce…). The vulnerable component is function setReferrer in application/core/MY_Controller.php (Trusted Backend Interface). The issue arises from manipulating the href argument, causing an open redirec...
TYPO3 CMS has Broken Access Control in Backend API
Problem Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LT...
CVE-2026-47352 TYPO3 CMS - Broken Access Control in Backend API
Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46,...
AndroScanner: Automated Backend Vulnerability Detection for Android Applications
Mobile applications rely on complex backends that introduce significant security risks, yet developers often lack the tools to assess these risks effectively. This paper presents AndroScanner, an automated pipeline for detecting vulnerabilities in Android application backends through combined...
CVE-2026-22683
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
Authentication Bypass
GenieACS is vulnerable to Authentication Bypass. The vulnerability is due to missing authentication checks in the NBI API endpoint, which allows an attacker to access the API without proper authorization...
EUVD-2026-19747
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683
CVE-2026-22683 affects Windmill versions 1.56.0–1.614.0, where missing authorization checks on the Operator role allow prohibited entity creation and modification via the backend API. Operators can create/update scripts, flows, apps, and raw_apps, and can execute scripts via the jobs API, enablin...
Umbraco 安全漏洞
Umbraco is an open-source content management system CMS written in C by the Danish company Umbraco. Versions of Umbraco from 14.0.0 to 16.5.1, as well as versions before 17.2.2, have security vulnerabilities. These vulnerabilities stem from insufficient authorization for backend API endpoints,...
CVE-2026-3057
A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be...
CVE-2026-3057 a54552239 pearProjectApi Backend Task.php dateTotalForProject sql injection
A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Value argument in the Backend Interface component. An attacker can inject malicious script code by supplying crafted input to the affected parameter. Details Cross-site scripting or XSS is a code...
GHSA-RFH7-7V27-6P9R funadmin: XSS through Value argument in Backend Interface component
A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be...
funadmin: XSS through Value argument in Backend Interface component
A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be...
CVE-2026-2897 funadmin Backend index.html cross site scripting
A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be...
CVE-2026-2897 funadmin Backend index.html cross site scripting
A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be...
CVE-2026-2897
CVE-2026-2897 affects funadmin up to version 7.1.0-rc4, specifically in the Backend Interface code path (file: app/backend/view/index/index.html). The issue arises from manipulation of the Value argument, enabling cross-site scripting. Exploitation is remote and public exploits exist; vendor was ...
FunAdmin 代码注入漏洞
FunAdmin is an open-source backend development system developed using ThinkPHP6 and Layui. Versions of FunAdmin 7.1.0-rc4 and earlier have a code injection vulnerability. This vulnerability stems from incorrect handling of parameters in the app/backend/view/index/index.html file of the component'...
PT-2026-21402
A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be...