CVE-2026-33158

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized...

CVE-2026-33158

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized...

CVE-2026-33158 Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized...

CVE-2026-33158 Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized...

CVE-2026-33158

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized...

Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

Summary A low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes or a preview redirect without enforcing a per-asset view authorization check, leading to potenti...

GHSA-3PVF-VXRV-HH9C Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

Summary A low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes or a preview redirect without enforcing a per-asset view authorization check, leading to potenti...

PT-2026-27463

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized...

CVE-2024-10297 PHPGurukul Medical Card Generation System Managecard Edit Image Page changeimage.php sql injection

A vulnerability was found in PHPGurukul Medical Card Generation System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/changeimage.php of the component Managecard Edit Image Page. The manipulation of the argument editid leads to sql...

CVE-2024-8436

The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to SQL Injection via the 'editimageId' and 'editimageDelete' parameters in all versions up to, and including, 4.8.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

CVE-2024-29810

The thumburl parameter of the AJAX call to the editimagebwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumburl parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The...

CVE-2022-30795

Online Ordering System v1.0 by oretnom23 is vulnerable to SQL Injection via admin/editproductimage.php...

living Local 1.1 - Cross-Site Scripting / Arbitrary File Upload

Authot: Bgh7 Home: http://ozelteam.com - Turk Bilisim Gücleri Pst: [email protected] ============================= Dork: allinurl:clientsignup.php "classifieds" Dork2: Powered By: Living Local V1.1 Demo: http://www.jerseyads.net/listtest.php?r="alert Demo2:...

Directory Manager

Directory Manager is installed and does not properly filter user input. A cracker may use this flaw to execute any command on your system. OpenVAS Vulnerability Test $Id: directorymanager.nasl 8023 2017-12-07 08:36:26Z teissa $ Description: Directory Manager's editimage.php Authors: Renaud Derais...

Availscript Jobs Portal Script File Upload Vulnerability (auth)

Exploit for unknown platform in category web applications =============================================================== Availscript Jobs Portal Script File Upload Vulnerability auth ===============================================================...

Availscript Jobs Portal Script File Upload Vulnerability (auth)

No description provided by source. || || | || o,7 || . o7 || 4||| ow, : / / . |-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=| | | | /' \ /'\ /\ \ /'\ /\ \ | | /, \ /\/\L\ \ \ \ ,/\ /\ \ \ \ / | | //\ \ /' \ /\ //\ /'\ \ /\ \ \ \ /'\ \ | | \ \ /\ /\ \ \ \ /...

Cross site scripting

Cross-site scripting XSS vulnerability in editimage.asp in ClickGallery Server 5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the from parameter...