CVE-2026-41661

Admidio is an open-source user management solution. Prior to version 5.0.9, an unauthenticated attacker can execute arbitrary JavaScript in any Admidio user's browser through a reflected XSS in system/msgwindow.php. The endpoint passes user input through htmlspecialchars, which does not encode...

CVE-2026-6841

Request Tracker is vulnerable to a reflected cross-site scripting XSS vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0....

PT-2026-42461

Name of the Vulnerable Software and Affected Versions Request Tracker versions 5.0.4 through 5.0.9 Request Tracker versions 6.0.0 through 6.0.2 Description Reflected cross-site scripting XSS occurs via the Page parameter in GET requests. This allows an attacker to craft a URL that executes...

2026-05 .NET 8.0.27 Security Update for x64 Client (KB5093447)

2026-05 .NET 8.0.27 Security Update for x64 Client KB5093447...

CVE-2022-50955

creationtimestamp| type| source ---|---|--- 2026-05-10 15:11:49+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlj2ackmlb2r...

CVE-2022-50954

creationtimestamp| type| source ---|---|--- 2026-05-10 14:48:26+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mliywj5zzg2i...

CVE-2026-41671

Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...

CVE-2026-41662

Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership contains this safety check, but the current code path bypasses...

EUVD-2026-28296

Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetchmetadata.php validates the resolved IP address but passes the original hostname-based URL to curlinit, leaving a DNS rebinding TOCTOU window that allows redirecting requests to...

CVE-2026-41671

Admidio prior to version 5.0.9 contains a vulnerability in its OIDC token introspection (/modules/sso/index.php/oidc/introspect) and revocation (/oidc/revoke) endpoints. The introspection endpoint always returns {"active": true} and the revocation endpoint returns {"revoked": true} without authen...

CVE-2026-41670

Admidio is an open-source user management solution. Prior to version 5.0.9, the SAML IdP implementation in Admidio's SSO module uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response, without validating it against the...

CVE-2026-41657 Admidio: Cross-Organization Member Data Exposure via Permission Check Mismatch in contacts_data.php

Admidio is an open-source user management solution. Prior to version 5.0.9, the contactsdata.php endpoint uses a weaker permission check isAdministratorUsers, requiring only roledituser=true than the frontend UI contacts.php which correctly requires the stronger isAdministrator requiring...

CVE-2026-41657

Admidio is an open-source user management solution. Prior to version 5.0.9, the contactsdata.php endpoint uses a weaker permission check isAdministratorUsers, requiring only roledituser=true than the frontend UI contacts.php which correctly requires the stronger isAdministrator requiring...

Cross-site Request Forgery (CSRF)

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the preferences.php process. An attacker can trigger unauthorized server-side actions, such as...

PT-2026-37142

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description The inventory module fails to properly enforce authorization for destructive operations on the backend, relying instead on the UI layer to hide buttons from non-administrative users. While the system...

PT-2026-36106

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description The SAML Identity Provider implementation fails to properly handle the return value of the validateSignature function. This function returns error strings upon failure instead of throwing exceptions,...

VulnCheck KEV: CVE-2024-56159

Astro is a web framework for content-driven websites. A bug in the build process allows any unauthenticated user to read parts of the server source code. During build, along with client assets such as css and font files, the sourcemap files for the server code are moved to a publicly-accessible...

CVE-2025-63214

An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts...

MAL-2025-49312 Malicious code in ethers-5 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8842d229aa4e9c24c85ce8a9be99c6690dbf62bef2bdf2ef716865c8a44adda3 The package ethers-5 was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in web3-1-4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f8b0f3301c4d4556f7e8700121e0fa272e12f9fa0f75868720564356cdde51ed The package web3-1-4 was found to contain malicious code. Source: ossf-package-analysis...