PT-2026-39547

A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the...

PT-2026-39438

A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted ear...

CVE-2026-34383 Admidio: CSRF and Form Validation Bypass in Inventory Item Save via `imported` Parameter

Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's itemsave endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user ca...

CVE-2026-34383

Affected product: Admidio open-source user management. Vulnerability: In versions before 5.0.8, the inventory module’s item_save endpoint accepts a user-controllable POST parameter named “imported” that, when true, bypasses both CSRF validation and server-side form validation. An authenticated us...

PT-2026-29350

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.8 Description The inventory module's item save endpoint is susceptible to a bypass of both CSRF token validation and server-side form validation. An authenticated user can craft a direct POST request to save...