CVE-2026-8474

Stormshield Network Security (Stormshield SNS) is affected by CVE-2026-8474. The issue affects SNS appliances running: 4.3.0–4.3.41, 4.8.0–4.8.15, and 5.0.0–5.0.5. It enables a reflected cross-site scripting (XSS) attack targeting the login API, achievable by executing a script on the victim’s br...

CVE-2026-8474 Possible to run a Cross Site Scripting request on the login API available on Stormshield SNS appliances.

A vulnerability was discovered on Stormshield Network Security 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, 5.0.0 to 5.0.5 It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim's machine. The risks include the theft of...

EUVD-2026-33586

A vulnerability was discovered on Stormshield Network Security 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, 5.0.0 to 5.0.5 It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim's machine. The risks include the theft of...

PT-2026-45387

A vulnerability was discovered on Stormshield Network Security 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, 5.0.0 to 5.0.5 It is possible to execute a reflected XSS attack on the login API available on Stormshield SNS appliance by executing a script on the victim's machine. The risks include the theft of...

Stormshield Network Security security vulnerabilities

Stormshield Network Security SNS is a next-generation UTM Unified Threat Management firewall developed by the French company Stormshield. Versions 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, and 5.0.0 to 5.0.5 of Stormshield Network Security contain security vulnerabilities. These vulnerabilities stem from...

WordPress plugin Account Switcher 授权问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Fleet: IP spoofing allows bypassing API rate limiting

Summary A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Impact Fleet extracted client IP...

CVE-2026-7072

A vulnerability was detected in CodePanda Source canteenmanagementsystem 1.0. Affected by this issue is some unknown functionality of the file /api/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may...

PT-2026-35283

A vulnerability was detected in CodePanda Source canteen management system 1.0. Affected by this issue is some unknown functionality of the file /api/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and m...

CodePanda Source canteen_management_system 注入漏洞

CodePanda Source canteenmanagementsystem is an open-source system developed by CodePanda Source for managing cafeteria operations and dining services. Version 1.0 of CodePanda Source canteenmanagementsystem contains a SQL injection vulnerability. This vulnerability stems from the handling of the...

PortSwigger Web Security: Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption

A security issue was discovered in the /api-internal/login authentication endpoint of the internal login interface of Burp Suite DAST Enterprise. The issue was caused by improper input validation order, where the application processed user-supplied input before enforcing field-level validation...

CVE-2026-33132 ZITADEL is missing enforcement of organization scopes

ZITADEL is an open source identity management platform. Versions prior to 3.4.9 and 4.0.0 through 4.12.2 allowed users to bypass organization enforcement during authentication. Zitadel allows applications to enforce an organzation context during authentication using scopes urn:zitadel:iam:org:id:...

GHSA-QMG5-V42X-QQHQ 1Panel – CAPTCHA Bypass via Client-Controlled Flag

Summary A CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed,...

1Panel – CAPTCHA Bypass via Client-Controlled Flag

Summary A CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed,...

EUVD-2021-24829

Malware in sbrugna...

EUVD-2023-33908

Malicious code in bioql PyPI...

CVE-2024-47530

Scout is a web-based visualizer for VCF-files. Open redirect vulnerability allows performing phishing attacks on users by redirecting them to malicious page. /login API endpoint is vulnerable to open redirect attack via next parameter due to absence of sanitization logic. Additionally, due to lac...

CVE-2024-49358

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint http:///v1/users/login in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behavior can b...

CVE-2023-2418

A vulnerability was found in Konga 2.8.3 on Kong. It has been classified as problematic. This affects an unknown part of the component Login API. The manipulation leads to insufficiently random values. The complexity of an attack is rather high. The exploitability is told to be difficult. The...

CVE-2021-38376

OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call...