Lucene search
K

3406 matches found

CNNVD
CNNVD
added 2026/04/29 12:0 a.m.12 views

XATABoost CMS SQL注入漏洞

XATABoost CMS is a content management system from XATABoost that provides website content publishing and management functions. A SQL injection vulnerability exists in XATABoost CMS version 1.0.0. The vulnerability stems from the application's lack of validation of externally entered SQL statement...

8.8CVSS5.9AI score0.00323EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/29 12:0 a.m.12 views

PT-2026-37147

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description Several administrative operations within the preferences module are executed via GET requests without CSRF token validation. This allows an attacker to force an authenticated administrator to trigger...

3.5CVSS5.8AI score0.00117EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/24 5:50 a.m.8 views

CVE-2026-1949 Incorrect calculation of buffer size on the stack in AS320T

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS5.4AI score0.00611EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/24 5:50 a.m.28 views

CVE-2026-1949 Incorrect calculation of buffer size on the stack in AS320T

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS0.00611EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/24 2:40 a.m.3 views

CVE-2026-41317

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

8.7CVSS5.8AI score0.00165EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.9 views

PT-2026-34853

CVE-2026-1949 Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service. https://t.co/NRUjOzyfyB...

9.8CVSS5.4AI score0.00611EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.9 views

ClassroomIO.com 访问控制错误漏洞

ClassroomIO.com is an educational platform developed by ClassroomIO as open source. Version 0.1.13 of ClassroomIO.com contains a vulnerability related to access control. This vulnerability arises from ineffective access control, allowing low-privilege student users who are authenticated to access...

6.5CVSS5.8AI score0.00212EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.6 views

CVE-2026-40581

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint SelectDelete.php performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a...

8.1CVSS5.7AI score0.00199EPSS
Exploits0References1
NVD
NVD
added 2026/04/18 12:16 a.m.4 views

CVE-2026-40581

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint SelectDelete.php performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a...

8.1CVSS0.00199EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/18 12:0 a.m.12 views

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the family record deletion endpoint, which performed permanent deletions via a pure GET request without verifying the CSRF...

8.1CVSS5.8AI score0.00199EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/17 11:51 p.m.32 views

CVE-2026-40581 ChurchCRM: Cross-Site Request Forgery (CSRF) in SelectDelete.php Leading to Permanent Data Deletion

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint SelectDelete.php performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a...

8.1CVSS0.00199EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/17 11:51 p.m.2 views

CVE-2026-40581

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint SelectDelete.php performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a...

8.1CVSS5.7AI score0.00199EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/04/17 1:15 p.m.37 views

CVE-2026-6490 QueryMine sms GET Request Parameter deletecourse.php sql injection

A weakness has been identified in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated...

7.5CVSS0.00325EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/17 12:0 a.m.3 views

PT-2026-33449

Name of the Vulnerable Software and Affected Versions QueryMine sms versions up to 7ab5a9ea196209611134525ffc18de25c57d9593 Description Remote SQL injection is possible via the GET Request Parameter Handler in the 'admin/editcourse.php' file. The issue occurs when the ID argument is manipulated,...

6.5CVSS6.9AI score0.00196EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/04/14 6:30 p.m.20 views

Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References4Affected Software1
Snyk
Snyk
added 2026/04/14 4:15 p.m.12 views

Authorization Bypass Through User-Controlled Key

Overview krayin/laravel-crm is a hand tailored CRM framework built on some of the hottest opensource technologies such as Laravel a PHP framework and Vue.js a progressive Javascript framework. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in...

8.6CVSS5.8AI score0.00351EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.6 views

PT-2026-32685

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References5
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.8 views

PT-2026-32684

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References5
CVE
CVE
added 2026/04/14 12:0 a.m.15 views

CVE-2026-38530

CVE-2026-38530 describes a Broken Object-Level Authorization (BOLA) in the Webkul Krayin CRM v2.2.x, specifically in the /Controllers/Lead/LeadController.php endpoint. The authenticated user can read, modify, and permanently delete any lead owned by other users by sending a crafted GET request. T...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References2Affected Software1
EUVD
EUVD
added 2026/04/12 3:30 p.m.5 views

EUVD-2019-20136

Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the...

8.7CVSS5.8AI score0.00535EPSS
Exploits0References4
Rows per page
Query Builder