CVE-2026-36460

Dovestones Softwares ADPhonebook before v4.0.1.1 is vulnerable to a Cross Site Scripting vulnerability. The /Admin/Save API allows an authenticated admin user to store malicious JavaScript payloads in multiple configuration sections without proper input validation or output encoding...

CVE-2026-36460

ADPhonebook versions before 4.0.1.1 are affected by a stored Cross-Site Scripting (XSS) vulnerability via the /Admin/Save API. An authenticated administrator can place malicious JavaScript payloads into multiple configuration sections due to insufficient input validation or lack of proper output ...

WordPress Paytium: Mollie payment forms & donations plugin <= 4.3.7 - Missing Authorization in 'paytium_sw_save_api_keys' vulnerability

Missing Authorization in 'paytiumswsaveapikeys' vulnerability discovered by WordFence in WordPress Plugin Paytium versions = 4.3.7...

CVE-2021-33031

In LabCup before...

PT-2024-16167 · WordPress · Ce21 Suite

Name of the Vulnerable Software and Affected Versions: CE21 Suite plugin for WordPress versions up to, and including, 2.2.0 Description: The issue is related to unauthorized modification of data due to a missing capability check on the ce21 single sign on save api settings function. This allows...

VulnCheck KEV: CVE-2023-7289

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized API key update due to a missing capability check on the paytiumswsaveapikeys function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with...

PT-2024-25754 · Unknown · Computer Laboratory Management System

Name of the Vulnerable Software and Affected Versions: Computer Laboratory Management System version 1.0 Description: The issue concerns a Cross Site Scripting vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the firstname, middlename, lastname parameters in th...

CVE-2021-33031

In LabCup before v2next18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email...

CVE-2021-33031

In LabCup before v2next18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email...

Authentication flaw

In LabCup before v2next18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email...

CVE-2018-19545

JEECMS 9.3 has CSRF via the api/admin/role/save URI to add a user...

dotCMS 'stName' Parameter SQL Injection Vulnerability

dotCMS is a content management system CMS developed in Java. A SQL injection vulnerability exists in the 'stName' parameter in dotCMS versions prior to 3.3.2, which allows remote attackers to execute arbitrary SQL commands via the stName parameter in api/content/save/1...