CVE-2026-55740

CVE-2026-55740 affects Nur-Alam39 bus-ticket. The vulnerability is an unauthenticated SQL injection in bus_info.php where the busid parameter from an HTTP POST is concatenated directly into the query: select * from bus_info where id=$busid. This occurs in a numeric context and is not sanitized, e...

CVE-2024-24769

Vantage6 exposes a MFA reset flow via API that can email users without a limit to the number of emails sent (pre-5.0.0). Root cause: lack of rate limiting on MFA reset email dispatch. Impact is described as very low since MFA reset requires a valid password, but abuse can overwhelm a mailbox and ...

EUVD-2026-37531

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2026-48117

DroneAware is a drone detection platform. The centralized DroneAware server backing droneaware.io was vulnerable to an account pre-hijacking attack in which an attacker could register an account using a victim's email address with an attacker-controlled password before the victim completed accoun...

CVE-2026-54817

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4...

CVE-2025-66391

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account...

EUVD-2026-37721

Missing Authorization in the server management routes routes/admin.php in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email...

CVE-2026-54415

CVE-2026-54415 is a broken access control issue in Azuriom CMS before 1.2.11. An authenticated user with the admin.access permission can abuse server-management routes to create AzLink server tokens and take over non-admin user accounts by changing passwords and emails. The vulnerability exists i...

CVE-2026-54415 Broken Access Control in Azuriom CMS Server Routes Allows Account Takeover

Missing Authorization in the server management routes routes/admin.php in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email...

EUVD-2026-37706

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4...

CVE-2026-54817 WordPress MStore API plugin <= 4.18.4 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4...

CVE-2026-12458

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

CVE-2024-35648

Cross-Site request forgery CSRF vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery. This issue affects Emergency Password Reset: from n/a through 8.0...

CVE-2026-10839

CVE-2026-10839 describes an open redirect in the Password Manager authentication system. The vulnerability arises from manipulation of the X-Forwarded-Host header to alter generated URLs, potentially redirecting authenticated users to malicious sites after login. Impact is limited to confidential...

CVE-2026-10837

CVE-2026-10837 describes an open redirection vulnerability in a Password Manager caused by insufficient validation of the X-Forwarded-Host header. The issue allows an attacker to craft links that, when clicked by a victim, redirect to attacker-controlled domains, enabling phishing or deception wh...

CVE-2026-10836

The CVE-2026-10836 entry concerns a vulnerability in Password Manager where improper neutralization of HTTP headers allows an attacker to manipulate the Host header via crafted requests. This can lead to generation of manipulated links or responses and potentially cause limited information disclo...

DEBIAN-CVE-2026-12446

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: High...

NocoDB < 0.258.0 - Reflected XSS in Password Reset

NocoDB versions before 0.258.0 contain a reflected cross-site scripting caused by insecure use of '\u003C%-' in resetPassword.ts, letting attackers execute malicious scripts in victims' browsers, exploit requires sending crafted requests to /api/v1/db/auth/password/reset/:tokenId. id:...

DomainMOD 4.13.0 - Cross-Site Scripting

DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. id: CVE-2020-20988 info: name: DomainMOD 4.13.0 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.13.0 is vulnerable to...

modoboa 2.0.4 - Admin TakeOver

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4. id: CVE-2023-0777 info: name: modoboa 2.0.4 - Admin TakeOver author: r3Y3r53 severity: critical description: | Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to...