122 matches found
CVE-2026-8428
Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...
CVE-2026-21861
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is...
GHSA-QXMC-6F24-G86G baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)
Summary In the core update functionality of baserCMS, some parameters sent from the admin panel are passed to the exec function without proper validation or escaping. This issue allows an authenticated CMS administrator to execute arbitrary OS commands on the server Remote Code Execution, RCE. Th...
EUVD-2026-17255
baserCMS has OS Command Injection Leading to Remote Code Execution RCE...
baserCMS has OS Command Injection Leading to Remote Code Execution (RCE)
Summary In the core update functionality of baserCMS, some parameters sent from the admin panel are passed to the exec function without proper validation or escaping. This issue allows an authenticated CMS administrator to execute arbitrary OS commands on the server Remote Code Execution, RCE. Th...
Command Injection
Overview baserproject/basercms is a Content management system based on CakePHP. Affected versions of this package are vulnerable to Command Injection in the core update process. An attacker can execute arbitrary operating system commands on the server by supplying crafted input that is passed...
CVE-2026-21861
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is...
CVE-2026-21861
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is...
CVE-2026-21861
baserCMS prior to version 5.2.3 contains an OS command injection in the core update functionality. An authenticated administrator can pass user-controlled input to exec() without proper validation/escaping, allowing arbitrary OS command execution on the server. The issue is fixed in version 5.2.3...
CVE-2026-21861 baserCMS: OS Command Injection Leading to Remote Code Execution (RCE)
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is...
CVE-2026-21861 baserCMS: OS Command Injection Leading to Remote Code Execution (RCE)
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute arbitrary OS commands on the server due to improper handling of user-controlled input that is...
baserCMS 安全漏洞
BaserCMS is a corporate-level content management system CMS developed by the BaserCMS team. Versions of BaserCMS prior to 5.2.3 contained security vulnerabilities. These vulnerabilities stemmed from OS command injection within the core update functionality, which could allow authenticated...
PT-2026-29146
Name of the Vulnerable Software and Affected Versions baserCMS versions prior to 5.2.3 Description baserCMS is a website development framework. Prior to version 5.2.3, it contains an OS command injection vulnerability in the core update functionality. An authenticated administrator can execute...
Security Update for Microsoft .NET Core SDK (March 2026)
The version of .NET Core SDK installed on the remote host is 8.x prior to 8.0.125, 8.0.4xx prior to 8.0.419, 9.x prior to 9.0.115, 9.0.3xx prior to 9.312, or 10.x prior to 10.0.104. It is, therefore, affected by multiple vulnerabilities as referenced in the vendor advisory: - Out-of-bounds read i...
CVE-2019-25400
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grpname, remark, SRVNAME, SRVPORT,...
CVE-2019-25400
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grpname, remark, SRVNAME, SRVPORT,...
CVE-2019-25396
IPFire 2.21 Core Update 127 contains a reflected cross-site scripting vulnerability in the updatexlrator.cgi script that allows attackers to inject malicious scripts through POST parameters. Attackers can submit crafted requests with script payloads in the MAXDISKUSAGE or MAXDOWNLOADRATE paramete...
CVE-2019-25400 IPFire 2.21 Core Update 127 Multiple XSS via fwhosts.cgi
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the fwhosts.cgi script that allow attackers to inject malicious scripts through multiple parameters including HOSTNAME, IP, SUBNET, NETREMARK, HOSTREMARK, newhost, grpname, remark, SRVNAME, SRVPORT,...
CVE-2019-25397 IPFire 2.21 Core Update 127 Cross-Site Scripting via hosts.cgi
IPFire 2.21 Core Update 127 contains multiple reflected cross-site scripting vulnerabilities in the hosts.cgi script that allow attackers to inject malicious scripts through unvalidated parameters. Attackers can submit POST requests with script payloads in the KEY1, IP, HOST, or DOM parameters to...
CVE-2019-25396
IPFire 2.21 Core Update 127 is vulnerable to a reflected XSS in updatexlrator.cgi. Attackers can submit crafted POST requests with scripts in MAX_DISK_USAGE or MAX_DOWNLOAD_RATE to execute arbitrary JavaScript in users’ browsers. CVSS metrics are provided (CVSS 4.0 base 5.1, CVSS 3.1 base 6.1); n...