10015 matches found
CVE-2026-46686
Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped before being rendered into the value attribute in admin/views/user.php, allowing reflected...
CVE-2026-46686
Emlog 2.6.13 and earlier is affected by a reflected XSS in the admin backend. The keyword parameter from admin/user.php is added with addslashes but not HTML-escaped when rendered into the value attribute in admin/views/user.php, enabling an administrator’s session to be compromised via crafted i...
Vue Vben Admin - Default Credentials
Vue Vben Admin 2.10.1 contains a broken authentication caused by hardcoded credentials in the backend, letting attackers log in without proper authorization, exploit requires access to the login interface. id: CVE-2025-25570 info: name: Vue Vben Admin - Default Credentials author: 0xAkoko severit...
Shopware < 5.5.8 - Cross-Site Scripting
Shopware before 5.5.8 contains a reflected cross-site scripting XSS caused by unsanitized query string parameters in the backend/Login or backend/Login/load/ URI, letting attackers execute arbitrary scripts in the context of the victim's browser, exploit requires sending crafted URL to the victim...
CVE-2026-49279
CVE-2026-49279 (WWBN AVideo) describes a stored XSS in the WebSocket messaging system. The vulnerability arises because MessageSQLite.php only strips autoEvalCodeOnHTML from json["msg"], while msgToResourceId() favors json over msg, allowing an attacker to place the payload in json and bypass san...
EUVD-2026-44705
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the...
CVE-2026-62683
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.17, File Browser can leave a public directory share behind when the shared directory is deleted through a path with a trailing slash because the...
CVE-2026-15752
A vulnerability was found in zhinianboke xianyu-auto-reply up to dcb445ad97816ad65299a7580ee0c8c8f929da84. Affected is an unknown function of the file /api/v1/users/ of the component Backend User Endpoint. Performing a manipulation results in missing authorization. The attack may be initiated...
CVE-2026-15752 zhinianboke xianyu-auto-reply Backend User Endpoint users authorization
A vulnerability was found in zhinianboke xianyu-auto-reply up to dcb445ad97816ad65299a7580ee0c8c8f929da84. Affected is an unknown function of the file /api/v1/users/ of the component Backend User Endpoint. Performing a manipulation results in missing authorization. The attack may be initiated...
CVE-2026-52841
Easy!Appointments before 1.6.0 is vulnerable to an Authorization bypass in Google OAuth provider binding. The issue: in Google::oauth (application/controllers/Google.php:278), the provider_id supplied in the request is stored in the session and oauth_callback saves the Google OAuth token against ...
CVE-2026-62392
Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Apache Kylin. A backend API may bring job config parameters to OS command line. This issue affects Apache Kylin: from 4 through 5.0.3. Users are recommended to upgrade to version 5.0.4, which...
CVE-2026-62392 Apache Kylin: OS Command Injection via Async Query API
Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Apache Kylin. A backend API may bring job config parameters to OS command line. This issue affects Apache Kylin: from 4 through 5.0.3. Users are recommended to upgrade to version 5.0.4, which...
CVE-2026-57898
In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...
CVE-2026-57898
In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...
EUVD-2026-43635
In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...
CVE-2026-44769 SQL Injection vulnerability in SAP S/4HANA Project Management (PPM-PRO)
SAP S/4HANA application Project Management PPM-PRO allows an attacker with high privileges to execute crafted database queries, exposing the backend database. This results in low impact on confidentiality, with no impact on integrity and availability of the application...
CVE-2026-44769
CVE-2026-44769 affects SAP S/4HANA Project Management (PPM-PRO). The connected documents describe a vulnerability where an attacker with high privileges can induce crafted database queries, resulting in exposure of the backend database. The impact is specified as low for confidentiality (C:H) wit...
EUVD-2026-43593
SAP S/4HANA application Project Management PPM-PRO allows an attacker with high privileges to execute crafted database queries, exposing the backend database. This results in low impact on confidentiality, with no impact on integrity and availability of the application...
PT-2026-57990
Name of the Vulnerable Software and Affected Versions Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 through 2.0.0-milestone-12 Description Deployments using the MongoDB backend are subject to an unauthenticated arbitrary file write via the AAS thumbnail API. The issue occurs because t...
PT-2026-60111
Name of the Vulnerable Software and Affected Versions Woodpecker CI versions v1.0.0 through v3.15.0 Description A privilege escalation issue exists in instances using the Kubernetes backend. The pipeline option backend options.kubernetes.serviceAccountName is passed directly to the pod spec witho...