4515 matches found
CVE-2025-70866
LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges User role can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider...
CVE-2026-25759
Statmatic is a Laravel and Git powered content management system CMS. From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Maliciou...
SAP ABAP Platform和SAP NetWeaver Application Server ABAP 安全漏洞
SAP ABAP Platform and SAP NetWeaver Application Server ABAP are both products of the German company SAP. SAP ABAP Platform is an SAP solution based on ABAP language. SAP NetWeaver Application Server ABAP is a platform for running and developing applications written in the ABAP language. There are...
Siemens SINEC NMS 代码问题漏洞
Siemens SINEC NMS is a network management system developed by Siemens in Germany. This system can be used for round-the-clock centralized monitoring, management, and configuration of industrial networks containing tens of thousands of devices, including those related to security applications...
CVE-2026-23797
In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users' password in user editing page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7...
CVE-2020-37129 Memu Play 7.1.3 - Insecure Folder Permissions
Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file...
CVE-2020-37129 Memu Play 7.1.3 - Insecure Folder Permissions
Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file...
CVE-2026-24671
The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting XSS vulnerability allows authenticated high-privileged users teachers or administrators to inject malicious JavaScript into multiple user-controllabl...
CVE-2026-24671
The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting XSS vulnerability allows authenticated high-privileged users teachers or administrators to inject malicious JavaScript into multiple user-controllabl...
EUVD-2026-5238
The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting XSS vulnerability allows authenticated high-privileged users teachers or administrators to inject malicious JavaScript into multiple user-controllabl...
CVE-2026-24671
Open eClass (formerly GUnet eClass) prior to version 4.2 is affected by a Stored XSS vulnerability in multiple high-privilege user input fields. Authenticated teachers/admins can inject malicious JavaScript, executed when other users load affected pages. Red Hat/NVD/CVE aggregations confirm the i...
CVE-2026-24671
The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting XSS vulnerability allows authenticated high-privileged users teachers or administrators to inject malicious JavaScript into multiple user-controllabl...
Open eClass 跨站脚本漏洞
Open eClass is an open-source e-classroom system developed by the Greek Universities Network. Versions of Open eClass prior to 4.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from stored cross-site scripts in multiple user-controllable input fields, which could allo...
CVE-2021-47913
PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation...
CVE-2026-24855
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting XSS vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and wh...
CVE-2025-14316
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
MyTube security vulnerability
MyTube is a video self-hosting downloader and player developed by Peifan Li. Versions of MyTube prior to 1.7.78 contained a security vulnerability, which stemmed from improper permission verification at the database export endpoint. This vulnerability could allow low-privilege users to access...
CVE-2025-14750 External Control of Assumed-Immutable Web Parameter in Weintek cMT X Series HMI EasyWeb Service
The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges...
CVE-2025-12573
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data...
CVE-2025-12573
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data...