CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities KEV catalog, following reports of active exploitation in the wild. The...

CVE-2026-27964

FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting XSS vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick cookie ...

WordPress plugin Debugger & Troubleshooter 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-2468

The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntnwpaccess' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the getuseraccess metho...

CVE-2026-22204

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...

CVE-2021-47726 NuCom 11N Wireless Router 5.07.90 Privilege Escalation via Configuration Backup

NuCom 11N Wireless Router 5.07.90 contains a privilege escalation vulnerability that allows non-privileged users to access administrative credentials through the configuration backup endpoint. Attackers can send a crafted HTTP GET request to the backup configuration page with a specific cookie to...

PT-2024-6139 · Zyxel · Wax655E +4

Name of the Vulnerable Software and Affected Versions: Zyxel NWA1123ACv3 versions 6.70ABVT.4 and earlier Zyxel WAC500 versions 6.70ABVS.4 and earlier Zyxel WAX655E versions 7.00ACDO.1 and earlier Zyxel WBE530 versions 7.00ACLE.1 and earlier Zyxel USG LITE 60AX version V2.00ACIP.2 Description: The...

CVE-2023-35120 PiiGAB M-Bus Cross-Site Request Forgery

PiiGAB M-Bus is vulnerable to cross-site request forgery. An attacker who wants to execute a certain command could send a phishing mail to the owner of the device and hope that the owner clicks on the link. If the owner of the device has a cookie stored that allows the owner to be logged in, then...

SUSE CVE-2008-1149

phpMyAdmin before 2.11.5 accesses $REQUEST to obtain some parameters instead of $GET and $POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery CSRF attacks by using crafted cookies...

Password Reset Poisoning

Description Elgg uses the HTTP Host-Header in a password reset request to generate the password reset link that is sent to the user in an email without any filters or checks. This allows an attacker to craft a password reset request using a manipulated host header, resulting in reset-token leakag...

Cross site request forgery (csrf)

Ubiquiti UniFi 52 devices, when Hotspot mode is used, allow remote attackers to bypass intended restrictions on "free time" Wi-Fi usage by sending a /guest/s/default/ request to obtain a cookie, and then using this cookie in a /guest/s/default/login request with the byfree parameter...

CVE-2018-1279

CVE-2018-1279 affects Pivotal RabbitMQ for PCF, all versions. The root cause is a deterministically generated authentication cookie that is shared across all nodes in a multi-tenant cluster. A remote attacker who can glean information about the network topology can guess this cookie and, if they ...

zzcms SQL Injection Vulnerability (CNVD-2018-26018)

ZZCMS is a CMS Content Management System used to quickly build Merchants type websites. A SQL injection vulnerability exists in the zs/search.php file in ZZCMS version 8.3. A remote attacker can exploit this vulnerability to obtain the current database name of mysql with the help of pxzs cookie...

CVE-2017-9822

DNN aka DotNetNuke before 9.1.1 has Remote Code Execution via a cookie, aka “2017-08 Critical Possible remote code execution on DNN sites.” Recent assessments: Assessed Attacker Value: 0 Assessed Attacker Value: 0Assessed Attacker Value: 0...

CVE-2014-9573

SQL injection vulnerability in manageuserpage.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTISMANAGEUSERSCOOKIE cookie...

mcGallery 1.1 - admin.php lang Parameter XSS

No description provided by source. source: http://www.securityfocus.com/bid/28587/info mcGallery is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the...

Basic Analysis And Security Engine <= 1.2.4 'readRoleCookie()' Authentication Bypass Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/35470/info Basic Analysis And Security Engine BASE is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected application. Successfully exploiting th...

PlaySMS Index.PHP Cross-Site Scripting Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/15928/info PlaySmS is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script...

CVE-2014-2212

POSH (POSH portal / Portaneo) is affected by multiple CVEs in 2014. CVE-2014-2211 describes an SQL injection in portal/addtoapplication.php via the rssurl parameter, enabling remote arbitrary SQL execution for POSH versions 3.0 before 3.3.0. CVE-2014-2212 reports a separate issue where the rememb...

DEBIAN-CVE-2011-4345

Cross-site scripting XSS vulnerability in Namazu before 2.0.21, when Internet Explorer 6 or 7 is used, allows remote attackers to inject arbitrary web script or HTML via a cookie...