CVE-2026-31956 Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of th...

CVE-2026-31956 Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of th...

CVE-2026-26265

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The userfieldids parameter ...

CVE-2026-26265 Discourse has IDOR vulnerability in the directory items endpoint

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, an IDOR vulnerability in the directory items endpoint allows any user, including anonymous users, to retrieve private user field values for all users in the directory. The userfieldids parameter ...

CVE-2025-66289 OrangeHRM is Vulnerable to Persistent Session Access Due to Missing Invalidation After User Disable and Password Change

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, o...

EUVD-2013-7051

Malware in sbrugna...

EUVD-2023-51901

Malicious code in bioql PyPI...

CVE-2023-47806

Cross-Site Request Forgery CSRF vulnerability in Saint Systems Disable User Login.This issue affects Disable User Login: from n/a through 1.3.7...

CVE-2022-2350

The Disable User Login WordPress plugin through 1.0.1 does not have authorisation and CSRF checks when updating its settings, allowing unauthenticated attackers to block or unblock users at will...

PT-2025-5107 · Unknown · Spiderpowa Embed Pdf

Name of the Vulnerable Software and Affected Versions: Spiderpowa Embed PDF versions 1.0 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for stored Cross-site Scripting XSS. This means that an attacker can inject malicious...

PT-2024-21052 · Elabftw · Elabftw

Name of the Vulnerable Software and Affected Versions: eLabFTW versions prior to 5.1.0 Description: The issue allows a regular user to become an administrator of a team where they are a member, under a reasonable configuration. In versions subsequent to v5.0.0, it may also allow an initially...

PT-2024-20630 · Codepeople · Codepeople Cp Polls

Name of the Vulnerable Software and Affected Versions: CodePeople CP Polls versions 1.0.71 and earlier Description: The issue is related to an Improper Neutralization of Script-Related HTML Tags in a Web Page, also known as Basic XSS, which allows Code Injection. This means that an attacker could...

CVE-2023-47806

Cross-Site Request Forgery CSRF vulnerability in Saint Systems Disable User Login.This issue affects Disable User Login: from n/a through 1.3.7...

CVE-2023-47806

Cross-Site Request Forgery CSRF vulnerability in Saint Systems Disable User Login.This issue affects Disable User Login: from n/a through 1.3.7...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Saint Systems Disable User Login.This issue affects Disable User Login: from n/a through 1.3.7...

CVE-2023-47806

The CVE-2023-47806 entry concerns the WordPress plugin Disable User Login. A CSRF vulnerability exists due to the absence of a CSRF check in the plugin’s bulk action, allowing an attacker to cause unintended actions on a user’s account. Affected versions are 1.3.7 and earlier, with fixes introduc...

CVE-2023-47806 WordPress Disable User Login Plugin <= 1.3.7 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in Saint Systems Disable User Login.This issue affects Disable User Login: from n/a through 1.3.7...

WordPress Plugin Disable User Login Cross-Site Request Forgery Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

PT-2023-30617 · Unknown · Disable User Login

Name of the Vulnerable Software and Affected Versions: Disable User Login versions 1.3.7 and earlier Description: A Cross-Site Request Forgery CSRF issue affects the Disable User Login feature. This allows an attacker to perform unintended actions on a user's account. Recommendations: For version...

ASB-A-272042183

In various functions of AppStandbyController.java, there is a possible way to break manageability scenarios due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...