CVE-2026-44679

Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes ...

EUVD-2026-30485

Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes ...

EUVD-2026-17638

AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users...

AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

Summary The AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin...

CVE-2026-34611 AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

PT-2026-29358

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

EUVD-2022-50360

Malicious code in bioql PyPI...

CVE-2023-51332

A lack of rate limiting in the 'Forgot Password' feature of PHPJabbers Meeting Room Booking System v1.0 allows attackers to send an excessive amount of email for a legitimate user, leading to a possible Denial of Service DoS via a large amount of generated e-mail messages...

CVE-2023-51321

A lack of rate limiting in the 'Forgot Password' feature of PHPJabbers Night Club Booking Software v1.0 allows attackers to send an excessive amount of email for a legitimate user, leading to a possible Denial of Service DoS via a large amount of generated e-mail messages...

CVE-2022-47600

Unauth. Reflected Cross-Site Scripting XSS vulnerability in I Thirteen Web Solution Mass Email To users plugin = 1.1.4 versions...

CVE-2022-47600

Unauth. Reflected Cross-Site Scripting XSS vulnerability in I Thirteen Web Solution Mass Email To users plugin = 1.1.4 versions...

Cross site scripting

Unauth. Reflected Cross-Site Scripting XSS vulnerability in I Thirteen Web Solution Mass Email To users plugin = 1.1.4 versions...

CVE-2022-47600 WordPress Mass Email To users Plugin <= 1.1.4 is vulnerable to Cross Site Scripting (XSS)

Unauth. Reflected Cross-Site Scripting XSS vulnerability in I Thirteen Web Solution Mass Email To users plugin = 1.1.4 versions...

CVE-2022-47600

CVE-2022-47600 : Unauthenticated reflected XSS in the WordPress plugin Mass Email To users (I Thirteen Web Solution) version

PT-2023-15424 · I Thirteen Web Solution · Mass Email To Users Plugin

Name of the Vulnerable Software and Affected Versions: I Thirteen Web Solution Mass Email To users plugin versions 1.1.4 and earlier Description: The issue is related to an Unauth. Reflected Cross-Site Scripting XSS vulnerability. This allows for malicious scripts to be injected into a website,...

Wordpress plugin Mass Email To users 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

Mass Email To users < 1.1.5 - Reflected XSS

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

WordPress Mass Email To users Plugin <= 1.1.4 is vulnerable to Cross Site Scripting (XSS)

Software Mass Email To users Type Plugin Vulnerable versions = 1.1.4 Fixed in 1.1.5 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2022-47600 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 1924a47fba47 Credits minhtuanact...

CVE-2021-24490

The CVE-2021-24490 entry concerns the WordPress plugin Email Artillery (MASS EMAIL) up to version 4.1, where the Import Emails feature allows arbitrary file uploads due to improper validation and also lacks CSRF protection. The root cause is failure to properly check uploaded files and the absenc...

Stripo Inc: No Rate Limiting on /reset-password-request/ endpoint

Hi there ! I noticed when we hit the /reset-password-request/ endpoint too many times via some proxy for e.g:- Burp there is no rate limit on that endpoint and you can spam the email with 100's of requests and resend even more password reset emails to the users as there is no rate limiting on tha...