Exploit for CVE-2026-46275

CVE-2026-46725 — TYPO3 ceselector Extension RCE PHP Objec...

CVE-2026-2468

The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntnwpaccess' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the getuseraccess metho...

CVE-2021-47726 NuCom 11N Wireless Router 5.07.90 Privilege Escalation via Configuration Backup

NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to...

EUVD-2019-3773

Malware in sbrugna...

EUVD-2013-5995

Malware in sbrugna...

EUVD-2022-42512

Malicious code in bioql PyPI...

GHSA-7PWC-WH6M-44Q3 Google Sign-In for Rails allowed redirects to malformed URLs

Summary It is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Details The googlesignin gem persists an optional URL for redirection after authentication. If this URL is malformed, it's possible for the user to be...

CVE-2025-57821 Basecamp's Google Sign-In for Rails allowed redirects to a malformed URL

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a...

CVE-2025-48951 Auth0-PHP SDK Deserialization of Untrusted Data vulnerability

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. Versions 8.0.0-BETA3 prior to 8.3.1 contain a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially...

CVE-2011-4508

The HMI web server in Siemens WinCC flexible 2004, 2005, 2007, and 2008 before SP3; WinCC V11 aka TIA portal before SP2 Update 1; the TP, OP, MP, Comfort Panels, and Mobile Panels SIMATIC HMI panels; WinCC V11 Runtime Advanced; and WinCC flexible Runtime generates predictable authentication token...

CVE-2019-15955

An issue was discovered in Total.js CMS 12.0.0. A low privilege user can perform a simple transformation of a cookie to obtain the random values inside it. If an attacker can discover a session cookie owned by an admin, then it is possible to brute force it with On=2n instead of On=n^x complexity...

CVE-2025-46721

nosurf is cross-site request forgery CSRF protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site either via XSS, or otherwise to bypass CSRF checks and issue requests on user's behal...

Rack session gets restored after deletion

Summary When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Details Rack session middleware prepares the session at the beginning of request, then saves is back to the store wit...

CVE-2023-6921 SQL Injection in PrestaShop Google Integrator

Blind SQL Injection vulnerability in PrestaShow Google Integrator PrestaShop addon allows for data extraction and modification. This attack is possible via command insertion in one of the cookies...

CVE-2023-45393

An indirect object reference IDOR in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie...

GRANDING UTime Master Security Vulnerability

GRANDING UTime Master is a powerful web-based time and attendance management software from GRANDING. A security vulnerability exists in GRANDING UTime Master v9.0.7-Build: Apr 4,2023 that stems from a vulnerability that allows an authenticated attacker to access sensitive information via a crafte...

PT-2023-23128 · Portswigger +1 · Burp Suite +1

Name of the Vulnerable Software and Affected Versions: Apache InLong versions 1.2.0 through 1.6.0 Description: This issue is related to improper privilege management. When an attacker has access to a valid but unprivileged account, the exploit can be executed using Burp Suite by sending a login...

PT-2022-19284 · Octoprint · Octoprint

Name of the Vulnerable Software and Affected Versions: OctoPrint versions prior to 1.8.3 Description: The issue allows an attacker to authenticate using a victim's OctoPrint session cookie as long as the victim's account exists. This can be done if the attacker comes into possession of the cookie...

Hardcoded credentials

FreeTAKServer 1.9.8 contains a hardcoded Flask secret key which allows attackers to create crafted cookies to bypass authentication or escalate privileges...

CVE-2019-6971

An issue was discovered on TP-Link TL-WR1043ND V2 devices. An attacker can send a cookie in an HTTP authentication packet to the router management web interface, and fully control the router without knowledge of the credentials...