SysReptor 安全漏洞

SysReptor is an open-source penetration testing report platform developed by Syslifters. Versions of SysReptor prior to 2026.29 contained security vulnerabilities. These vulnerabilities stemmed from the ability of users with administrator privileges to change the email addresses of users with...

CVE-2026-23622 CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from...

CVE-2021-47754 Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)

Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users...

PT-2026-3099

Name of the Vulnerable Software and Affected Versions Easy!Appointments versions 1.5.2 and earlier Description The application's CSRF protection in application/core/EA Security.php::csrf verify only applies to POST requests, bypassing validation for other request methods like GET. Several...

CVE-2025-59955

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/teamid/members and /api/v1/teams/current/members API endpoints allows...

CVE-2025-59955 Coolify leaksensitive information `email_change_code` in `/api/v1/teams/{team_id | current}/members` API endpoint

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Coolify versions prior to and including v4.0.0-beta.420.8 have an information disclosure vulnerability in the /api/v1/teams/teamid/members and /api/v1/teams/current/members API endpoints allows...

Coolify 安全漏洞

Coolify is an open source and self-hosted Heroku/Netlify/Vercel replacement from coolLabs Open Source. A security vulnerability exists in Coolify v4.0.0-beta.420.8 and earlier versions, which stems from an information leak in the API endpoint that could lead to unauthorized email address changes...

CVE-2025-12963

The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the...

CVE-2025-12963

CVE-2025-12963 concerns the LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress. The connected sources confirm a root cause: missing authorization on the REST API endpoint wp-json/lazytasks/api/v1/user/role/edit/ allows unauthenticated users to mo...

CVE-2025-55155 MantisBT: Authentication bypass for some passwords due to PHP type juggling

Mantis Bug Tracker MantisBT is an open source issue tracker. In versions 2.27.1 and below, when a user edits their profile to change their e-mail address, the system saves it without validating that it actually belongs to the user. This could result in storing an invalid email address, preventing...

Insufficient Verification of Data Authenticity

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the email address change. An attacker can cause unauthorized disclosure of information by updating their profile with an email address they do...

CVE-2025-6574

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for...

VirtFusion 安全漏洞

VirtFusion is a virtualization management panel from VirtFusion, UK. A security vulnerability exists in VirtFusion 6.0.2 and earlier versions, which stems from an improper restriction of authentication attempts for the Email Change Handler component in the file /account/settings, which could lead...

EUVD-2025-27545

Malicious code in bioql PyPI...

CVE-2025-8898 Taxi Booking Manager for Woocommerce | E-cab <= 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation via Account Takeover

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identit...

CVE-2025-8898 Taxi Booking Manager for Woocommerce | E-cab <= 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation via Account Takeover

The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identit...

CVE-2025-4796

The Eventin WordPress plugin (

PT-2024-38965 · WordPress · Uncanny Groups For Learndash

Name of the Vulnerable Software and Affected Versions: Uncanny Groups for LearnDash plugin for WordPress versions up to, and including, 6.1.0.1 Description: The issue allows authenticated attackers with group leader-level access and above to exploit a missing capability check on the "/wp-json/ulg...

CVE-2024-8428

The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submitformhandler due to missing validation on the 'userid' user controlled key. This makes it possible...

PT-2024-21642

Name of the Vulnerable Software and Affected Versions GeoNode versions prior to 4.2.3 Description The issue exists within GeoNode, a geospatial content management system, where the current rich text editor is vulnerable to Stored XSS. This allows an attacker to retrieve a victim's CSRF token and...