Lucene search
K

5107 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.10 views

CVE-2026-40548

SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 Path...

6.4CVSS5.5AI score0.0031EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.9 views

CVE-2026-41264

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSVAgents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can...

9.8CVSS5.8AI score0.01028EPSS
Exploits3References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.12 views

CVE-2026-41137

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

9.4CVSS5.5AI score0.0145EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/05 1:45 p.m.7 views

CVE-2026-11333

A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboardpage/forms/uploadstudentdata.php of the component Student Data...

6.5CVSS6.2AI score0.00214EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/05 1:45 p.m.34 views

CVE-2026-11333 tittuvarghese CollegeManagementSystem Student Data Upload Endpoint upload_student_data.php unrestricted upload

A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboardpage/forms/uploadstudentdata.php of the component Student Data...

6.5CVSS0.00214EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.18 views

PT-2026-46959

A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboard page/forms/upload student data.php of the component Student Data...

6.5CVSS6.2AI score0.00214EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/06/04 1:22 p.m.6 views

CVE-2019-25727

WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers can send GET requests to the edit.php endpoint with export=exportcsv and a malicious path paramet...

9.8CVSS5.9AI score0.0046EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/06/04 1:22 p.m.37 views

CVE-2019-25727 WordPress Plugin ad manager wd 1.0.11 Arbitrary File Download

WordPress Plugin ad manager wd 1.0.11 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the path parameter. Attackers can send GET requests to the edit.php endpoint with export=exportcsv and a malicious path paramet...

9.8CVSS0.0046EPSS
Exploits0References3
NVD
NVD
added 2026/06/04 12:16 p.m.10 views

CVE-2025-52612

HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters...

8.8CVSS0.00199EPSS
Exploits0References1
CVE
CVE
added 2026/06/04 11:40 a.m.16 views

CVE-2025-52612

CVE-2025-52612 affects HCL iControl. The vulnerability is described as a CSV export injection that enables reflected cross-site scripting due to insufficient input parameter sanitization. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) indicates high impact across confidentiality, integ...

8.8CVSS5.6AI score0.00199EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.16 views

PT-2026-46187

HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters...

7.1CVSS5.6AI score0.00199EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.9 views

HCL iControl 安全漏洞

HCL iControl is an IT infrastructure monitoring and automation platform developed by HCL Company in India. HCL iControl has a security vulnerability, which stems from CSV injection during the export of CSV files. Due to insufficient parameter cleaning, reflection-type cross-site scripting attacks...

8.8CVSS5AI score0.00199EPSS
Exploits0References1
NVD
NVD
added 2026/06/01 11:16 a.m.14 views

CVE-2026-10248

A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function createsupplier of the file /Exportcsv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection...

5.8CVSS0.00248EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/01 10:15 a.m.35 views

CVE-2026-10248 SourceCodester Pharmacy Sales and Inventory System Supplier Creation export create_supplier csv injection

A vulnerability was determined in SourceCodester Pharmacy Sales and Inventory System up to 1.0. This issue affects the function createsupplier of the file /Exportcsv/export of the component Supplier Creation Interface. This manipulation of the argument Address/Company Name causes csv injection...

5.8CVSS0.00248EPSS
Exploits0References6
CVE
CVE
added 2026/06/01 10:15 a.m.25 views

CVE-2026-10248

CVE-2026-10248 affects SourceCodester Pharmacy Sales and Inventory System (up to 1.0). The vulnerability resides in the function create_supplier, within the /Export_csv/export component of the Supplier Creation Interface, where manipulating the Address/Company Name argument enables CSV injection....

5.8CVSS5.5AI score0.00248EPSS
Exploits0References6
NVD
NVD
added 2026/06/01 9:16 a.m.17 views

CVE-2026-40548

SOPlanning does not verify uploaded file extension. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a legitimate user.csv file alongside a malicious file, which is extracted on the server. When combined with CVE-2026-40547 Path...

6.4CVSS0.0031EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/01 9:3 a.m.9 views

CVE-2026-40544

SOPlanning is vulnerable to Stored Cross-Site Scripting XSS via /process/uploadbackup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the...

5.1CVSS5.9AI score0.00295EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/01 9:3 a.m.11 views

CVE-2026-40544 Stored XSS in SOPlanning

SOPlanning is vulnerable to Stored Cross-Site Scripting XSS via /process/uploadbackup endpoint. An authenticated attacker with access to the backup functionality can upload a crafted ZIP archive containing a malicious user.csv file with embedded JavaScript. The injected code is executed in the...

5.1CVSS5.9AI score0.00295EPSS
Exploits0References2
CVE
CVE
added 2026/06/01 9:3 a.m.26 views

CVE-2026-40544

SOPlanning is affected by a Stored XSS in the backup feature. An authenticated attacker with backup access can upload a crafted ZIP containing a malicious user.csv; the injected script executes in victims’ browsers when they click Edit on the malicious backup. Affected: SOPlanning v1.55 and earli...

5.1CVSS5.9AI score0.00295EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/01 9:3 a.m.9 views

CVE-2026-40543

SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional...

8.8CVSS5.8AI score0.00273EPSS
Exploits0References3
Rows per page
Query Builder