Lucene search
K

2142 matches found

Vulnrichment
Vulnrichment
added 5 days ago7 views

CVE-2025-30008 HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface

HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars encoding ...

5.1CVSS6.2AI score0.00181EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago38 views

CVE-2025-30007 HestiaCP < 1.9.5 Authenticated OS Command Injection via DNS Record Management

HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...

8.8CVSS0.02077EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/06 9:35 p.m.7 views

EUVD-2026-41153

Craft CMS: Stored XSS via Structure entry title in table view...

5.9CVSS5.9AI score0.00412EPSS
Exploits0References3
OSV
OSV
added 2026/07/06 8:28 p.m.6 views

GHSA-X76W-8C62-48MG Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission

Summary A user with Control Panel access but without permission to view a target private asset can call assets/preview-thumb and receive preview HTML that contains a signed fallback transform link for that private asset. Details Root-cause analysis: 1. The endpoint accepts an attacker-controlled...

5.3CVSS6AI score0.00193EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/04 12:0 a.m.11 views

PT-2026-55695

Name of the Vulnerable Software and Affected Versions HestiaCP affected versions not specified Description The panel cronjob feature contains a broken access control flaw. This allows users with low privileges to modify the panel cronjob to execute HestiaCP management scripts using passwordless...

8.3CVSS6AI score0.00256EPSS
Exploits0References8
OSV
OSV
added 2026/07/01 9:57 p.m.3 views

CVE-2026-55793 Craft CMS: Stored XSS via Structure entry title in table view

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under th...

5.9CVSS5.9AI score0.00412EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/01 9:57 p.m.33 views

CVE-2026-55793 Craft CMS: Stored XSS via Structure entry title in table view

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under th...

5.9CVSS0.00412EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 9:57 p.m.6 views

CVE-2026-55793

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.22, an author-level control panel user can store a malicious JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under th...

5.9CVSS5.7AI score0.00412EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.6 views

PT-2026-54861

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.22 Description A stored cross-site scripting issue exists where a user with author-level control panel permissions can embed a malicious JavaScript payload within an entry title. The execution occurs wh...

5.9CVSS6AI score0.00412EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/28 1:32 a.m.9 views

EUVD-2026-39974

MyBB 1.8.40 does not restrict which usergroup a limited Admin Control Panel user may assign when creating or editing users; the user module offers the Administrators group gid 4 and its datahandler's verifyusergroup unconditionally returns true. An admin holding only the delegated user-management...

8.6CVSS5.8AI score0.00272EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/26 10:12 p.m.9 views

EUVD-2026-38059

Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 3:0 p.m.32 views

CVE-2026-55477 Authenticated Arbitrary File Write via Database Import and Xray Log Path Manipulation

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS0.00342EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 3:0 p.m.5 views

EUVD-2026-39432

3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...

7.2CVSS6.4AI score0.00342EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.16 views

PT-2026-51234

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.0-beta.1 Craft CMS versions 5.0.0-RC1 through 5.9.0-beta.1 Description Stored cross-site scripting occurs when settings names and field option labels are rendered without sanitization, specifically...

4.8CVSS5.9AI score0.00183EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.20 views

PT-2026-51232

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13 Description A missing authorization issue exists in the 'assets/preview-thumb' endpoint. A Control Panel user lacking permissions to view a specific privat...

5.3CVSS6AI score0.00193EPSS
Exploits0References11
NVD
NVD
added 2026/06/19 7:16 p.m.11 views

CVE-2026-49288

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

4.3CVSS0.00162EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/19 6:11 p.m.37 views

CVE-2026-49288 Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

4.3CVSS0.00162EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/19 6:11 p.m.7 views

CVE-2026-49288

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/19 6:11 p.m.24 views

CVE-2026-49288

Statamic CMS patch for CVE-2026-49288 fixes a missing authorization on Control Panel fieldtype endpoints that allowed an authenticated CP user to view restricted metadata and content (entries, assets, users, roles, groups, etc.). The issue could disclose titles, custom field values, entry content...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1
OSV
OSV
added 2026/06/19 6:11 p.m.5 views

CVE-2026-49288 Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

4.3CVSS5.9AI score0.00162EPSS
Exploits0References3
Rows per page
Query Builder