CVE-2026-49433

The CVE affects DeepAI’s endpoint https://api.deepai.org/change_user_email, where POST requests lack CSRF protection. An attacker could lure a logged-in user to visit a malicious link, enabling the attacker to change the user’s email address and potentially take over the account. The issue is mit...

DeepAI.org CSRF

RISK EVALUATION The DeepAI.org endpoint https://api.deepai.org/changeuseremail accepts POST requests without any CSRF protection. If a logged-in user is tricked into visiting a malicious HTML page, an attacker can change the user's email address to their own and take over the account via...

DeepAI 安全漏洞

DeepAI is a generative artificial intelligence platform developed by DeepAI Inc. in the United States. There is a security vulnerability in DeepAI. This vulnerability stems from the endpoint https://api.deepai.org/changeuseremail, which accepts POST requests without CSRF protection. This could...

PT-2026-45563

The DeepAI endpoint 'https://api.deepai.org/change user email' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20...

CVE-2021-47946

OpenCart 3.0.36 is affected by a cross-site request forgery on the /account/edit endpoint. The vulnerability allows unauthenticated attackers to modify victim account details by enticing users to visit malicious pages, enabling CSRF payloads to change email and other account information. Attacker...

CVE-2026-3020

Identity based authorization bypass vulnerability IDOR that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other...

PT-2026-25669

Identity based authorization bypass vulnerability IDOR that allows an attacker to modify the data of a legitimate user account, such as changing the victim's email address, validating the new email address, and requesting a new password. This could allow them to take complete control of other...

CVE-2025-13913 Inductive Automation Ignition Software Deserialization of Untrusted Data

A privileged Ignition user, intentionally or otherwise, imports an external file with a specially crafted payload, which executes embedded malicious code...

CVE-2026-1670

The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address...

CVE-2026-1670

CVE-2026-1670 affects Honeywell CCTV products including Honeywell I-HIB2PI-UL 2MP IP, SMB NDAA MVO-3, PTZ WDR 2MP 32M, and 25M IPC. The root cause is an unauthenticated API endpoint exposure that allows an attacker to remotely change the recovery email address used for password resets, potentiall...

CVE-2026-1670

The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address...

CVE-2025-69289

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4...

CVE-2025-69289 Discourse has insecure default configuration that allows non-admin moderators to takeover any non-staff account via email change

Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4...

CVE-2021-47754

Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users...

CVE-2025-64349

ELOG allows an authenticated user to modify another user's profile. An attacker can edit a target user's email address, then request a password reset, and take control of the target account. By default, ELOG is not configured to allow self-registration...

EUVD-2025-37399

ELOG allows an authenticated user to modify another user's profile. An attacker can edit a target user's email address, then request a password reset, and take control of the target account. By default, ELOG is not configured to allow self-registration...

Revive Adserver: Authorization bypass allows changing email address of other users

The Revive Adserver 6.0.0 was found to have an authorization bypass vulnerability that allowed changing the email address of other users without requiring the account password. The vulnerability was present in the admin panel endpoint /admin/agency-user.php, which accepted a POST request that...

EUVD-2021-21857

Malware in sbrugna...

EUVD-2024-26809

Malicious code in bioql PyPI...

User Management System admin/change-emailid.php File SQL Injection Vulnerability

User Management System is a user management system. User Management System suffers from a SQL injection vulnerability that originates from the lack of validation of the parameter uid in the file /admin/change-emailid.php against externally entered SQL statements. An attacker can exploit this...