EUVD-2026-30269

Unsafe object reference IDOR in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter. An authenticated attacker could exploit this vulnerability to access information about any employee first names, last...

CVE-2026-2556 cskefu Endpoint MediaController.java server-side request forgery

A security vulnerability has been detected in cskefu up to 8.0.1. This issue affects some unknown processing of the file com/cskefu/cc/controller/resource/MediaController.java of the component Endpoint. The manipulation of the argument url leads to server-side request forgery. The attack may be...

CVE-2023-54327 Tinycontrol LAN Controller 1.58a Authentication Bypass via Admin Password Change

Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls...

CVE-2023-54327

CVE-2023-54327 affects Tinycontrol LAN Controller 1.58a. An authentication bypass allows unauthenticated attackers to change admin passwords by sending a crafted request to the /stm.cgi endpoint, disabling access controls and modifying administrative credentials. Impacts are described as high (co...

CVE-2023-53923

UliCMS 2023.1 is affected by a privilege‑escalation vulnerability in the UserController endpoint. An unauthenticated attacker can issue a crafted POST to /dist/admin/index.php to create a new admin account with full system access. Documents identify the vulnerable component and impact (unrestrict...

EUVD-2025-24604

Malicious code in bioql PyPI...

CVE-2025-45315

A cross-site scripting XSS vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter...

SUSE CVE-2025-53513

The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through th...

PT-2023-29775 · Unknown · Thirty Bees Core

Name of the Vulnerable Software and Affected Versions: Thirty Bees Core version 1.4.0 Description: The issue is a reflected cross-site scripting XSS vulnerability. It allows attackers to execute arbitrary JavaScript in a user's web browser via a crafted payload. The vulnerability is exploited...

PT-2022-19101 · Unknown · Asith-Eranga Isic Tour Booking

Name of the Vulnerable Software and Affected Versions: asith-eranga ISIC tour booking versions prior to the version published on Feb 13th 2018 Description: An issue in asith-eranga ISIC tour booking allows attackers to gain sensitive information via the action parameter to "/system/user/modules/m...

PT-2022-23911 · Unknown · Shirne Cms

Name of the Vulnerable Software and Affected Versions: Shirne CMS version 1.2.0 Description: The issue is related to a Path Traversal vulnerability that could cause arbitrary file read. This is possible via the /static/ueditor/php/controller.php endpoint. Recommendations: For Shirne CMS version...

PT-2022-23493 · Unknown · Kkfileview

Name of the Vulnerable Software and Affected Versions: kkFileView version 4.0.0 Description: The issue allows for arbitrary file deletion via the fileName parameter at the /controller/FileController.java endpoint. Recommendations: For kkFileView version 4.0.0, consider restricting access to the...

PT-2018-4938 · Red Hat · Jboss Bpm Suite

Name of the Vulnerable Software and Affected Versions: JBoss BPM Suite 6 Description: The issue allows remote attackers to perform a reflected XSS attack via dashbuilder. This can be achieved by enticing authenticated users, typically admins, to click on malicious links to the...

Dashbuilder: Reflected XSS

JBoss BPM Suite 6 is vulnerable to a reflected XSS via dashbuilder. Remote attackers can entice authenticated users that have privileges to access dashbuilder usually admins to click on links to /dashbuilder/Controller containing malicious scripts. Successful exploitation would allow execution of...