CVE-2026-29934

A reflected cross-site scripting XSS vulnerability in the /admin/menus component of Lightcms v2.0 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referer value in the request header...

PT-2026-28391

Name of the Vulnerable Software and Affected Versions Lightcms version 2.0 Description A reflected cross-site scripting XSS issue exists in the /admin/menus component. This allows attackers to execute arbitrary Javascript within a user's browser by altering the referer value in the request header...

Jianhua Sun LightCMS 安全漏洞

Jianhua Sun LightCMS is an open-source application developed by Jianhua Sun. It provides a lightweight CMS system and can also be used as a general-purpose backend management framework. The Jianhua Sun LightCMS v2.0 version has a security vulnerability, which stems from a reflection-type XSS...

CVE-2026-29934

CVE-2026-29934 describes a reflected XSS in Lightcms v2.0, specifically the /admin/menus component. An attacker can inject arbitrary JavaScript by manipulating the Referer header in requests, causing the payload to execute in the user’s browser context. Public notes across multiple feeds corrobor...

EUVD-2026-13111

Devome GRR v4.5.0 was discovered to contain multiple authenticated SQL injection vulnerabilities in the include/session.inc.php file via the referer and user-agent...

EUVD-2026-10911

Sylius has an Open Redirect via Referer Header...

GHSA-9FFX-F77R-756W Sylius has an Open Redirect via Referer Header

Impact CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. Th...

Open Redirect

Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Open Redirect in the handling of the switchAction, impersonateAction, and handle processes when redirecting users based on the HTTP Referer header. An attacker can redirec...

Sylius has an Open Redirect via Referer Header

Impact CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. Th...

CVE-2026-31819

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819 Sylius has an Open Redirect via Referer Header

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819 Sylius has an Open Redirect via Referer Header

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819

Sylius (Open Source eCommerce Framework on Symfony) has a referer-based redirect issue in CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction, and StorageBasedLocaleSwitcher::handle. The vulnerability arises when a victim clicks a link on an attacker-controlled pa...

CVE-2026-31819

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

CVE-2026-31819 Sylius has an Open Redirect via Referer Header

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

Sylius 输入验证错误漏洞

Sylius is an open-source e-commerce platform developed by the Polish company Sylius, based on the Symfony framework. Sylius has a vulnerability related to input validation. This vulnerability arises from multiple controllers directly using the HTTP Referer header for redirection, which can lead t...

PT-2026-24473

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 1.9.12 Sylius versions prior to 1.10.16 Sylius versions prior to 1.11.17 Sylius versions prior to 1.12.23 Sylius versions prior to 1.13.15 Sylius versions prior to 1.14.18 Sylius versions prior to 2.0.16 Sylius version...

Authentication Bypass Using an Alternate Path or Channel

Overview fuxa-server is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via improper validation of the Referer header in the authentication process. An unauthorized attacker...

GHSA-4R4R-4JP4-WWF9 FUXA has JWT Authentication Bypass via HTTP Referer header spoofing

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution RCE. The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can...

FUXA has JWT Authentication Bypass via HTTP Referer header spoofing

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution RCE. The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can...