20146 matches found
DomainMOD 4.13.0 - Cross-Site Scripting
DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. id: CVE-2020-20988 info: name: DomainMOD 4.13.0 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.13.0 is vulnerable to...
Moodle LTI module Reflected - Cross-Site Scripting
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's brows...
ROOT-APP-MAVEN-CVE-2026-22732 CVE-2026-22732 in io.root.org.springframework.security:spring-security-web - Patched by Root
Root has patched CVE-2026-22732 in the io.root.org.springframework.security:spring-security-web package for Root:Maven. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-54512 CVE-2026-54512 in io.root.com.fasterxml.jackson.core:jackson-databind - Patched by Root
Root has patched CVE-2026-54512 in the io.root.com.fasterxml.jackson.core:jackson-databind package for Root:Maven. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2025-54121 CVE-2025-54121 in rootio-starlette - Patched by Root
Root has patched CVE-2025-54121 in the rootio-starlette package for Root:PyPI. Multiple fixed versions available...
CVE-2026-15546
The CVE-2026-15546 entry describes a remote OS command injection in Shibby Tomato up to 1.28.0000. Affected component: start_jffs2, function sub_2D568. Exploitation involves manipulating the argument jffs2_exec; exploit is public and may be used for attacks. CVSS data indicate network access with...
ROOT-OS-DEBIAN-12-CVE-2026-41080 CVE-2026-41080 in rootio-expat - Patched by Root
Root has patched CVE-2026-41080 in the rootio-expat package for Root:Debian:12. Multiple fixed versions available...
ROOT-OS-DEBIAN-12-CVE-2024-28757 CVE-2024-28757 in rootio-expat - Patched by Root
Root has patched CVE-2024-28757 in the rootio-expat package for Root:Debian:12. Multiple fixed versions available...
ROOT-OS-DEBIAN-12-CVE-2026-32776 CVE-2026-32776 in rootio-expat - Patched by Root
Root has patched CVE-2026-32776 in the rootio-expat package for Root:Debian:12. Multiple fixed versions available...
Malicious code in another-poc-by-tipsen (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1bd73ac39644da27df81fcbc6540647d0f13d77419a07997a8ca0a2baa6164e package.json declares a dependency safe-chain-test sourced from a tarball URL on an anonymous Cloudflare tunnel host...
ROOT-APP-NPM-CVE-2020-8203 CVE-2020-8203 in @rootio/lodash.pick - Patched by Root
Root has patched CVE-2020-8203 in the @rootio/lodash.pick package for Root:npm. Multiple fixed versions available...
XWiki Platform - SQL Injection
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an...
CVE-2026-55475 Snipe-IT: Import created_by can be overwritten
Snipe-IT is an IT asset/license management system. Prior to 8.6.1, the Importer API endpoint allows a user with CSV import capabilities and a valid API key to overwrite the createdby value of an import file, allowing unauthorized modification of import ownership metadata. This issue is fixed in...
CVE-2026-55475
Snipe-IT prior to version 8.6.1 is vulnerable via the Importer API endpoint where a user with CSV import capabilities and a valid API key can overwrite the created_by value of an import file, enabling unauthorized modification of import ownership metadata. The issue is fixed in version 8.6.1. Thi...
CVE-2026-61461
Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the searchbyfulltext method without escaping or parameterization. Attackers can inject malicious SQL throu...
CVE-2026-55476 Snipe-IT: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter
Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/itemType/itemId/cancelbyadmin?/requestingUser? accepts cancelbyadmin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that...
CVE-2026-55476
Snipe-IT (asset/license management) prior to v8.6.0 is vulnerable: POST /account/request/{itemType}/{itemId}/{cancel_by_admin}/{requestingUser} accepts cancel_by_admin as a URL path segment, enabling an authenticated user to silently cancel another user’s pending asset requests. Affects versions ...
CVE-2026-56666
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive...
CVE-2026-61461
Summary: CVE-2026-61461 affects Dify before 1.16.0-rc1, where the MyScale vector store backend is vulnerable to SQL injection via the search_by_full_text method due to unsanitized, unparameterized search parameters. This can allow an attacker to read, modify, or delete data in the underlying Clic...
ROOT-OS-DEBIAN-13-CVE-2026-1965 CVE-2026-1965 in rootio-curl - Patched by Root
Root has patched CVE-2026-1965 in the rootio-curl package for Root:Debian:13. Multiple fixed versions available...