CVE-2019-7654

Wowza Streaming Engine 4.8.0 and earlier suffers from multiple CSRF vulnerabilities. For example, an administrator, by following a link, can be tricked into making unwanted changes such as adding another admin user via enginemanager/server/user/edit.htm in the Server-Users component. This issue w...

CVE-2019-16531

LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php...

CVE-2024-2797

The MailerLite – Signup forms official plugin for WordPress is vulnerable to unauthorized plugin setting changes due to a missing capability check on the toggleRolesAndPermissions and editAllowedRolesAndPermissions functions in all versions up to, and including, 1.7.6. This makes it possible for...

CVE-2025-68954

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to...

CVE-2025-13521

WP Status Notifier is vulnerable to CSRF due to missing/incorrect nonce validation on the settings update function, enabling unauthenticated attackers to change plugin settings by decep­tively prompting an admin (e.g., via forged link). The CVE entry lists a CVSS v3.1 base score of 4.3 (Medium) w...

CVE-2025-31963 HCL BigFix IVR is impacted by improper authentication and missing CSRF protection

Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests...

CVE-2025-31963

Summary (CVE-2025-31963) : In HCL BigFix IVR version 4.2, the local setup interface component suffers from improper authentication and missing CSRF protection. This allows a local attacker to perform unauthorized configuration changes through unauthenticated administrative configuration requests....

Progress MOVEit Transfer 安全漏洞

Progress MOVEit Transfer is a secure hosted file transfer application from Progress. A security vulnerability exists in Progress MOVEit Transfer that stems from unverified password changes. The following versions are affected: version 2023.1.0 through versions prior to 2023.1.3, version 2023.0.0...

PT-2026-1576

Name of the Vulnerable Software and Affected Versions HCL BigFix IVR version 4.2 Description The local setup interface component suffers from improper authentication and a lack of CSRF protection. This allows a local attacker to make unauthorized configuration changes by sending unauthenticated...

PT-2026-1637

Name of the Vulnerable Software and Affected Versions Sticky Action Buttons plugin for WordPress versions up to and including 1.1 Description The software is susceptible to Cross-Site Request Forgery CSRF. This is caused by a lack of, or incorrect, nonce validation within the sabs options page fo...

PT-2026-1613

Name of the Vulnerable Software and Affected Versions Mamurjor Employee Info plugin for WordPress versions up to and including 1.0.0 Description The software is susceptible to Cross-Site Request Forgery CSRF due to the absence of nonce validation on several administrative functions. This allows...

CVE-2025-59955

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/teamid/members and /api/v1/teams/current/members API endpoints allows...

Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced

Summary Pterodactyl does not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions...

GHSA-8C39-XPPG-479C Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced

Summary Pterodactyl does not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions...

CVE-2020-36906

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking...

CVE-2020-36906 P5 FNIP-8x16A FNIP-4xSH 1.0.20 Cross-Site Request Forgery via User Management

P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user consent. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking...

CVE-2025-14996

The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it...

CVE-2025-14034

The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'deletesingleticketcallback' and 'changeticketstatuscallback' functions in all versions up to, and including, 1.2.6. This makes it...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the SFTP access control process. An attacker can maintain unauthorized access to files by remaining connected to SFTP after their permissions have been revoked or after the game server has been deleted...

CVE-2025-68954

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to...