Lucene search
K

52 matches found

Cvelist
Cvelist
added 2026/06/29 1:0 a.m.34 views

CVE-2026-13521 SourceCodester Class and Exam Timetabling System preview5.php sql injection

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0/5.php. Affected by this vulnerability is an unknown functionality of the file /preview5.php. Such manipulation of the argument courseyearsection leads to sql injection. The attack may be performed from remote...

7.5CVSS0.00269EPSS
Exploits0References6
NVD
NVD
added 2026/06/28 10:16 a.m.11 views

CVE-2026-13485

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /preview.php. Performing a manipulation of the argument courseyearsection results in sql injection. The attack can be initiated remotely. The exploit has been made publi...

7.5CVSS0.00412EPSS
Exploits0References6
CVE
CVE
added 2026/06/28 9:15 a.m.15 views

CVE-2026-13485

SourceCodester Class and Exam Timetabling System 1.0 has a SQL injection vulnerability in the /preview.php file, triggered by manipulating the course_year_section argument in an unknown function. The flaw can be exploited remotely and an exploit has been made public. The CVE entry indicates netwo...

7.5CVSS6.9AI score0.00412EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/28 9:15 a.m.9 views

EUVD-2026-39985

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /preview.php. Performing a manipulation of the argument courseyearsection results in sql injection. The attack can be initiated remotely. The exploit has been made publi...

7.5CVSS6.9AI score0.00412EPSS
Exploits0References6
NVD
NVD
added 2026/06/26 10:16 p.m.14 views

CVE-2026-53577

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint GET /api/v1/tenant/executions/executionId/file/preview contains an access control bypass that allows any authenticated user to read output files from any other executio...

6.5CVSS0.00263EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 8:52 p.m.6 views

CVE-2026-53577

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint GET /api/v1/tenant/executions/executionId/file/preview contains an access control bypass that allows any authenticated user to read output files from any other executio...

6.5CVSS5.9AI score0.00263EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.12 views

PT-2026-52985

Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.0.45 Kestra versions prior to 1.3.21 Description An access control bypass exists in the previewFileFromExecution endpoint GET '/api/v1/tenant/executions/executionId/file/preview'. This issue allows an authenticated...

6.5CVSS5.9AI score0.00263EPSS
Exploits1References8
NVD
NVD
added 2026/06/21 2:16 p.m.14 views

CVE-2026-56385

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...

5.3CVSS0.00221EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/21 1:27 p.m.32 views

CVE-2026-56385 Craft CMS - Authorization Bypass in assets/preview-file Endpoint

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...

5.3CVSS0.00221EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.5 views

CVE-2026-56385

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References4
OSV
OSV
added 2026/06/21 1:27 p.m.3 views

CVE-2026-56385 Craft CMS - Authorization Bypass in assets/preview-file Endpoint

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...

5.3CVSS6AI score0.00221EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/21 1:27 p.m.12 views

EUVD-2026-38179

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References3
CVE
CVE
added 2026/06/21 1:27 p.m.18 views

CVE-2026-56385

Craft CMS suffers an authorization bypass in the assets/preview-file endpoint. Versions affected: 5.0.0-RC1–5.9.13 and 4.0.0-RC1–4.17.7. An authenticated low-privileged user can supply an assetId for an asset they should not view and still receive preview data (previewHtml), including a private p...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/21 12:0 a.m.21 views

PT-2026-51233

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 through 5.9.13 Craft CMS versions 4.0.0-RC1 through 4.17.7 Description An authorization bypass exists in the 'assets/preview-file' endpoint. The system fails to enforce per-asset view authorization before returning...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References7
NVD
NVD
added 2026/04/20 9:16 a.m.8 views

CVE-2026-6619

A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be...

5.1CVSS0.00206EPSS
Exploits0References4
OSV
OSV
added 2026/03/26 5:12 p.m.2 views

GHSA-44PX-QJJC-XRHQ Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

Summary An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data previewHtml for that private asset. The returned preview HTML included a private preview image route containing the target private assetId...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/26 5:12 p.m.6 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization in the assets/preview-file. An attacker can access unauthorized preview metadata by sending crafted requests with a controlled assetId parameter, allowing retrieval of...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/26 5:12 p.m.7 views

Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

Summary An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data previewHtml for that private asset. The returned preview HTML included a private preview image route containing the target private assetId...

5.8AI score
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/02/01 12:15 p.m.10 views

EUVD-2021-34752

Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks...

6.4CVSS6.1AI score0.00288EPSS
Exploits1References3
OpenVAS
OpenVAS
added 2025/12/15 12:0 a.m.5 views

Nextcloud Server IDOR Vulnerability (GHSA-h6j9-6xjq-44c4)

Nextcloud Server is prone to an Insecure Direct Object Reference IDOR vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

4.3CVSS7AI score0.00241EPSS
Exploits1References2
Rows per page
Query Builder