CVE-2026-23752

CVE-2026-23752 affects GFI HelpDesk prior to 4.99.9. The vulnerability is a stored XSS in the template group creation/editing flow, exploitable via the companyname POST parameter without HTML sanitization. When an authenticated administrator views the Templates > Groups page, the injected scri...

CVE-2026-23752 GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can...

CVE-2026-23752 GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can...

CVE-2026-23752

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can...

GFI HelpDesk 安全漏洞

GFI HelpDesk is an open-source service request and ticket management system for enterprise IT support processes developed by GFI. Versions of GFI HelpDesk prior to 4.99.9 contained security vulnerabilities. These vulnerabilities stemmed from insufficient cleaning of the companyname POST parameter...

PT-2026-33820

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can...

Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Summary The actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty groups...

GHSA-JQ2F-59PJ-P3M3 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Summary The actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty groups...

CVE-2026-35034

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint POST /SyncPlay/New, where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By...

CVE-2026-35034

CVE-2026-35034 affects Jellyfin before 10.11.7, where an authenticated user can abuse the SyncPlay group creation endpoint (POST /SyncPlay/New) due to insufficient input validation. By sending large payloads (with arbitrary group IDs), an attacker can cause high memory usage and lock out other cl...

CVE-2026-35034

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint POST /SyncPlay/New, where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By...

CVE-2026-27668

A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary SAM-P All versions V5.8. User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access t...

CVE-2026-27668

A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary SAM-P All versions V5.8. User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access t...

CVE-2026-27668

CVE-2026-27668 affects RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) with all versions below v5.8. The issue allows an authenticated User Administrator to escalate their own privileges by administering groups they belong to, enabling access to any device group at any access level. Docu...

CVE-2026-27668

A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary SAM-P All versions V5.8. User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access t...

CVE-2026-27668

A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary SAM-P All versions V5.8. User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access t...

📄 ChurchCRM 6.4.0 Cross Site Scripting

ChurchCRM versions 6.4.0 and below suffer from persistent cross site scripting vulnerability in group role name assignment. CVE-2025-67876: ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking Overview | Field | Details | |---|---| | CVE ID | CVE-2025-67876 | | Severity ...

📄 WBCE CMS 1.6.4 SQL Injection

WBCE CMS versions 1.6.4 and below suffer from a remote time-bsed SQL injection vulnerability via the groups parameter. CVE-2025-65950: WBCE CMS is Vulnerable to Time-Based Blind SQL Injection through groups Parameter Overview | Field | Details | |---|---| | CVE ID | CVE-2025-65950 | | Severity |...

Exploit for SQL Injection in Wbce Wbce_Cms

CVE-2025-65950: WBCE CMS is Vulnerable to Time-Based Blind SQL...

Linux Distros Unpatched Vulnerability : CVE-2026-40198

"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass. packipv6 does not check that uncompressed IPv6...