CVE-2026-56396

CVE-2026-56396 (phpMyFAQ) affects phpMyFAQ versions before 4.1.4. The issue is missing authorization in editUser() and updateUserRights(), allowing authenticated administrators with edit_user to set the is_superadmin flag or grant arbitrary rights, escalating to SuperAdmin. This leads to high-imp...

CVE-2026-32699

FacturaScripts (versions ≤ 2025.92) exposes a vulnerability in the EditUser endpoint where the nick field is not validated on POST, allowing an attacker to modify an immutable nickname by intercepting and altering form-data. The UI prevents editing this field, but a modified request can rename an...

Cross-site Scripting (XSS)

Overview librenms/librenms is a fully featured network monitoring system that provides a wealth of features and device support. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the device Display Name field, used at several endpoints including edituser. PoC Enter a...

PT-2022-25871 · Unknown · Billing System Project

Name of the Vulnerable Software and Affected Versions: Billing System Project version 1.0 Description: A SQL injection issue was found in the Billing System Project. The vulnerability is exploitable via the id parameter at the "/phpinventory/edituser.php" API endpoint. This allows for potential...