CVE-2026-45007 phpMyFAQ - Missing Permission Check on 12 Configuration API Endpoints Allows Information Disclosure

phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated instead of userHasPermissionCONFIGURATIONEDIT. Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail...

CVE-2026-45007

CVE-2026-45007 affects phpMyFAQ prior to 4.1.2. In ConfigurationTabController.php, 12 endpoints perform userIsAuthenticated() checks instead of validating permission with userHasPermission(CONFIGURATION_EDIT), enabling information disclosure. Any authenticated user can enumerate configuration met...

CVE-2026-45007 phpMyFAQ - Missing Permission Check on 12 Configuration API Endpoints Allows Information Disclosure

phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated instead of userHasPermissionCONFIGURATIONEDIT. Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail...

CVE-2026-30496

The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01 on Android 8.0.0) exposes an unauthenticated HTTP API on TCP port 2345 that allows full remote control, including reading 74 configuration endpoints and modifying settings (volume, mute, brightness, power, network protocols including ...

PT-2026-38435

Name of the Vulnerable Software and Affected Versions Optoma CinemaX P2 version TVOS-04.24.010.04.01 Description The device exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control. This API enables reading configuration across 74 endpoints and modifying settings such ...

EUVD-2026-25350

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact...

CVE-2026-40630

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact...

CVE-2026-40630

SenseLive X3050: a vulnerability in the web management interface allows an attacker with network access to bypass authentication and directly interact with sensitive configuration functions due to improper access control. Affected: SenseLive X3050 web management component; impact includes high co...

CVE-2026-40630 SenseLive X3050 Authentication bypass using an alternate path or channel

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact...

CVE-2026-40630

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact...

CVE-2026-40630 SenseLive X3050 Authentication bypass using an alternate path or channel

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact...

PT-2026-34797

A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the device may be able to bypass the intended authentication mechanism and directly interact...

OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway

Summary OpenClaw Gateway supports hook mappings with optional JavaScript/TypeScript transform modules. In affected versions, the gateway did not sufficiently constrain configured module paths before passing them to dynamic import. Under some configurations, a user who can modify gateway...

GHSA-V6C6-VQQG-W888 OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway

Summary OpenClaw Gateway supports hook mappings with optional JavaScript/TypeScript transform modules. In affected versions, the gateway did not sufficiently constrain configured module paths before passing them to dynamic import. Under some configurations, a user who can modify gateway...

CVE-2025-68707

An authentication bypass vulnerability in the Tongyu AX1800 Wi-Fi 6 Router with firmware 1.0.0 allows unauthenticated network-adjacent attackers to perform arbitrary configuration changes without providing credentials, as long as a valid admin session is active. This can result in full compromise...

CVE-2021-47741 ZBL EPON ONU Broadband Router V100R001 Privilege Escalation via Configuration Endpoint

ZBL EPON ONU Broadband Router V100R001 contains a privilege escalation vulnerability that allows limited administrative users to elevate access by sending requests to configuration endpoints. Attackers can exploit the vulnerability by accessing the configuration backup or password page to disclos...

CVE-2025-67013

The web management interface in ETL Systems Ltd DEXTRA Series ' Digital L-Band Distribution System v1.8 does not implement Cross-Site Request Forgery CSRF protection mechanisms no tokens, no Origin/Referer validation on critical configuration endpoints...

ETL Systems DEXTRA Series 安全漏洞

ETL Systems DEXTRA Series is a range of RF distribution and synthesis equipment from ETL UK. A security vulnerability exists in ETL Systems DEXTRA Series version v1.8, which stems from a failure to implement a cross-site request forgery protection mechanism at critical configuration endpoints...

CVE-2025-67013

The CVE-2025-67013 entry concerns ETL Systems Ltd DEXTRA Series Digital L-Band Distribution System v1.8. The web management interface does not implement CSRF protections (no tokens, no Origin/Referer validation) on critical configuration endpoints, per Red Hat and NVD entries. Affected component:...

Cross-site Request Forgery (CSRF)

org.jenkins-ci.plugins, publish-to-bitbucket is vulnerable to cross-site request forgery CSRF. The vulnerability is due to missing CSRF protection in the plugin configuration endpoints, which allows an attacker to force a victim to connect Jenkins to an attacker-controlled URL using...