Lucene search
K

12588 matches found

NVD
NVD
added yesterday6 views

CVE-2026-61501

Rejetto HFS 3.0.0 through 3.2.0 renders log entries in the administration panel as HTML without sanitization. A remote unauthenticated attacker can submit a failed login with a crafted username that is written to the error log and executes JavaScript in an administrator's browser when the logs ar...

6.1CVSS
Exploits0References2
Nuclei
Nuclei
added yesterday35 views

Etherpad Lite <1.6.4 - Admin Authentication Bypass

Etherpad Lite before 1.6.4 is exploitable for admin access. id: CVE-2018-9845 info: name: Etherpad Lite 1.6.4 - Admin Authentication Bypass author: philippedelteil severity: critical description: Etherpad Lite before 1.6.4 is exploitable for admin access. impact: | An attacker can bypass the admi...

9.8CVSS7AI score0.13132EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday1482 views

Pterodactyl Panel - Remote Code Execution

Pterodactyl is a free, open-source game server management panel. Using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. id: CVE-2025-49132 info: name: Pterodactyl Panel - Remote Code Execution...

10CVSS6.4AI score0.13105EPSS
Exploits28References3
Nuclei
Nuclei
added yesterday55 views

Sidekiq < 7.0.8 - Cross-Site Scripting

An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. id: CVE-2023-1892 info: name: Sidekiq 7.0.8 - Cross-Site Scripting author: ritikchaddha,princechaddha severity: critical description: | An XSS vulnerability on a Sidekiq admin pan...

9.6CVSS7AI score0.02742EPSS
Exploits1References3
Nuclei
Nuclei
added yesterday43 views

Netsweeper 4.0.5 - Default Weak Account

The Web Panel in Netsweeper before 4.0.5 has a default password of 'branding' for the branding account, which makes it easier for remote attackers to obtain access via a request to webadmin/. id: CVE-2014-9614 info: name: Netsweeper 4.0.5 - Default Weak Account author: daffainfo severity: critica...

9.8CVSS7.1AI score0.66638EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday10 views

Dyn Business Panel Plugin <= 1.0.0 - Cross-Site Scripting

Dyn Business Panel WordPress plugin = 1.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter in output, letting attackers execute scripts in the context of high privilege users, exploit requires victim to click a malicious link. id: CVE-2024-130...

7.1CVSS7AI score0.00522EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday474 views

Moodle - Cross-Site Scripting/Remote Code Execution

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. Moodle versions 4.1.x before 4.1.3 and 4.2.x before...

6.5CVSS6.8AI score0.06583EPSS
Exploits3References5
Nuclei
Nuclei
added yesterday9 views

Karel IP Phone IP1211 Web Management Panel - Local File Inclusion

Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter. id: CVE-2025-34023 info: name: Karel IP Phone IP1211 Web Management Pane...

8.5CVSS6.2AI score0.01441EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday65 views

1Panel SQL Injection - Authenticated

1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to...

9.8CVSS7.1AI score0.29396EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday56 views

Tieline IP Audio Gateway <=2.6.4.8 - Unauthorized Remote Admin Panel Access

Tieline IP Audio Gateway 2.6.4.8 and below is affected by a vulnerability in the web administrative interface that could allow an unauthenticated user to access a sensitive part of the system with a high privileged account. id: CVE-2021-35336 info: name: Tieline IP Audio Gateway =2.6.4.8 -...

9.8CVSS7AI score0.11587EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday96 views

i-Panel Administration System 2.0 - Cross-Site Scripting

i-Panel Administration System 2.0 contains a cross-site scripting vulnerability that enables an attacker to execute arbitrary JavaScript code in the browser-based web console. id: CVE-2021-41878 info: name: i-Panel Administration System 2.0 - Cross-Site Scripting author: madrobot severity: medium...

6.1CVSS6.6AI score0.09912EPSS
Exploits4References5
Nuclei
Nuclei
added yesterday85 views

CentOS Web Panel - SQL Injection

The unprivileged user portal part of CentOS Web Panel is affected by a SQL Injection via the 'idsession' HTTP POST parameter. id: CVE-2021-31316 info: name: CentOS Web Panel - SQL Injection author: ritikchaddha severity: critical description: | The unprivileged user portal part of CentOS Web Pane...

10CVSS7.1AI score0.13029EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday29 views

Control Web Panel (CWP) - File Inclusion

In CWP Control Web Panel, previously CentOS Web Panel before version 0.9.8.1107, an unauthenticated attacker can abuse null byte %00 injection with the "scripts" parameter in the /user/loader.php or /user/login.php endpoints to register arbitrary API keys or access sensitive files. This can be...

9.8CVSS7.3AI score0.70947EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday26 views

CentOS Web Panel - OS Command Injection

The unprivileged user portal part of CentOS Web Panel is affected by a Command Injection vulnerability leading to root Remote Code Execution. id: CVE-2021-31324 info: name: CentOS Web Panel - OS Command Injection author: ritikchaddha severity: critical description: | The unprivileged user portal...

10CVSS7.1AI score0.34062EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday19 views

KevinLAB BEMS (Building Energy Management System) - Backdoor Account

KevinLAB BEMS has an undocumented backdoor account, and these sets of credentials are never exposed to the end-user and cannot be changed through any normal operation of the solution through the RMI. An attacker could exploit this vulnerability by logging in using the backdoor account with highes...

9CVSS6.9AI score0.06719EPSS
Exploits2References2
Nuclei
Nuclei
added 3 days ago35 views

Triofox - Improper Access Control

The Gladinet Triofox solution before 12.91.1126.65588 and CentreStack before 12.10.595.65696 allow unauthenticated access to the /management/admindatabase.aspx endpoint, exposing sensitive database management functionality to anyone with network access. An unauthenticated attacker can remotely...

9.1CVSS7.1AI score0.90532EPSS
Exploits1References3
Nuclei
Nuclei
added 3 days ago94 views

Apache APISIX - Remote Code Execution

A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different...

9.8CVSS7.3AI score0.96182EPSS
Exploits16References5
NVD
NVD
added 4 days ago6 views

CVE-2026-53448

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The issecurestring filter that protects the STUN protocol path is not...

7.2CVSS0.00677EPSS
Exploits0References4
CVE
CVE
added 4 days ago13 views

CVE-2026-53448

Coturn’s CVE-2026-53448 concerns the HTTPS admin panel, where prior to 4.12.0 HTTP query parameters were interpolated into SQL queries without sanitization. The is_secure_string filter guarding the STUN path is not applied to admin panel operations delete-user, delete-secret, and delete-IP, allow...

7.2CVSS6.2AI score0.00677EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago9 views

EUVD-2026-42969

Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The issecurestring filter that protects the STUN protocol path is not...

7.2CVSS6.2AI score0.00677EPSS
Exploits0References4
Rows per page
Query Builder