GHSA-RWJR-QJJ3-MQ2F Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`

Summary modules/categories.php checks that the supplied type parameter ANN, EVT, ROL, USF, … corresponds to a module the actor administers. The follow-up "is this specific category editable by me" check at lines 56-61 is dead code because it compares $getType a category-type code against mode nam...

PT-2026-20517

MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $ REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...

GHSA-VM5Q-8QWW-H238 DotNetNuke.Core Vulnerable to Stored XSS in Module Deletion Confirmation Modal

A module friendly name could include scripts that will run during some module operations in the Persona Bar...

DotNetNuke.Core Vulnerable to Stored XSS in Module Deletion Confirmation Modal

A module friendly name could include scripts that will run during some module operations in the Persona Bar...

CVE-2026-24837 DotNetNuke.Core Vulnerable to Stored XSS in Module Deletion Confirmation Modal

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13....

CVE-2026-24837 DotNetNuke.Core Vulnerable to Stored XSS in Module Deletion Confirmation Modal

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13....

CVE-2026-24837 DotNetNuke.Core Vulnerable to Stored XSS in Module Deletion Confirmation Modal

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13....

CVE-2026-24837

DNN (DotNetNuke) prior to version 9.13.10 and 10.2.0 is affected by a Stored XSS in the Module Deletion Confirmation Modal caused by the module friendly name containing scripts. The issue is addressed in 9.13.10 and 10.2.0, which contain the fix. Exploitation context is limited to remote abuse re...

EUVD-2019-18435

Malware in sbrugna...

EUVD-2023-2440

Malicious code in bioql PyPI...

CVE-2023-41938

A cross-site request forgery CSRF vulnerability in Jenkins Ivy Plugin 2.5 and earlier allows attackers to delete disabled modules...

CVE-2024-11444 CLUEVO LMS, E-Learning Platform <= 1.13.2 - Cross-Site Request Forgery to Module Deletion

The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.13.2. This is due to missing or incorrect nonce validation on the cluevorendermoduleui function. This makes it possible for unauthenticated attackers to...

CVE-2024-11444 CLUEVO LMS, E-Learning Platform <= 1.13.2 - Cross-Site Request Forgery to Module Deletion

The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.13.2. This is due to missing or incorrect nonce validation on the cluevorendermoduleui function. This makes it possible for unauthenticated attackers to...

WordPress CLUEVO LMS, E-Learning Platform plugin <= 1.13.2 - Cross-Site Request Forgery to Module Deletion vulnerability

Cross-Site Request Forgery to Module Deletion vulnerability discovered by Peter Thaleikis in WordPress Plugin CLUEVO LMS, E-Learning Platform versions = 1.13.2...

static_call: Handle module init failure correctly in static_call_del_module()

...

AZL-49329 CVE-2024-38588 affecting package kernel for versions less than 5.15.162.2-1

In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix possible use-after-free issue in ftracelocation KASAN reports a bug: BUG: KASAN: use-after-free in ftracelocation+0x90/0x120 Read of size 8 at addr ffff888141d40010 by task insmod/424 CPU: 8 PID: 424 Comm: insmod...

Cross-Site Request Forgery (CSRF) in microweber/microweber

✍️ Description Attacker able to delete any Module if attacker knows the ids parameter value. 🕵️‍♂️ Proof of Concept Here after running PoC.html on Firefox or Safari and click on submit button also can be auto-submit you will see that the Module with id 167 has been deleted. //PoC.html...

CVE-2019-9049

An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=moduledelete&var1= URI...

CVE-2019-9049

An issue was discovered in Pluck 4.7.9-dev1. There is a CSRF vulnerability that can delete modules via a /admin.php?action=moduledelete&var1= URI...

Drupal Shibboleth Authentication Module Cross-Site Request Forgery Vulnerability

Drupal is a free and open source content management system developed in PHP and maintained by the Drupal community.Shibboleth Authentication is one of the user login and get access to the authentication module . A cross-site request forgery vulnerability exists in the Drupal Shibboleth...