CVE-2018-25391

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/modpengurus/aksipengurus.php module=pengurus&act=hapus and...

CVE-2018-25391 HaPe PKH 1.1 Missing Authorization Allows Unauthenticated Record Deletion

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/modpengurus/aksipengurus.php module=pengurus&act=hapus and...

PT-2026-44869

HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod pengurus/aksi pengurus.php module=pengurus&act=hapus and...

CVE-2026-40836

CVE-2026-40836 describes an unauthenticated SQL Injection in the inmessage model that can be exploited by a low-privileged remote attacker. The vulnerability arises from improper neutralization of special elements in a SQL DELETE command, enabling reading of the entire database and deletion of en...

PT-2026-43254

OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the...

CVE-2026-44548 ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php)

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records,...

CVE-2026-38566

HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...

EUVD-2019-14137

Malware in sbrugna...

EUVD-2020-5680

Malware in sbrugna...

EUVD-2020-0454

Malware in sbrugna...

EUVD-2021-13574

Malware in sbrugna...

EUVD-2012-2105

Malware in sbrugna...

EUVD-2024-41454

Malicious code in bioql PyPI...

CVE-2021-26787

A cross site scripting XSS vulnerability in Genesys Workforce Management 8.5.214.20 can occur during record deletion via the Time-off parameter...

CVE-2024-45392

SuiteCRM is an open-source customer relationship management CRM system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue...

BIT-SUITECRM-2024-45392 SuiteCRM has wrong deletion permission checks on API delete call

SuiteCRM is an open-source customer relationship management CRM system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue...

CVE-2024-45392

SuiteCRM is an open-source customer relationship management CRM system. Prior to version 7.14.5 and 8.6.2, insufficient access control checks allow a threat actor to delete records via the API. Versions 7.14.5 and 8.6.2 contain a patch for the issue...

PT-2024-31596 · Suitecrm · Suitecrm

Name of the Vulnerable Software and Affected Versions: SuiteCRM versions prior to 7.14.5 SuiteCRM versions prior to 8.6.2 Description: The issue is related to insufficient access control checks in SuiteCRM, an open-source customer relationship management system. This allows a threat actor to dele...

CVE-2023-49783

CVE-2023-49783 affects SilverStripe Admin. In 1.x before 1.13.19 and 2.x before 2.1.8, users who lack edit/delete permissions for ModelAdmin records can still edit/delete records via the CSV import form if they have create permissions. The issue can enable unintended record modification, though t...

CVE-2023-0766 Newsletter Popup <= 1.2 - Record Deletion via CSRF

The Newsletter Popup WordPress plugin through 1.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks as the wpnewslettershowlocalrecord page is not protected with a nonce...