127708 matches found
Digital-Archiving-Solutions-RCE-PoC
LPD Server — Shell Injection Exploit RFC 1179 Disclaimer...
Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Apple Mac_Os_X
ICMP Timestamp Scanner — CVE-1999-0524 ╔═══════════════...
WordPress WP CTA – Call Now Button, Sticky Button & Call to Action Builder plugin <= 2.2.2 - Unauthenticated Time-Based Blind SQL Injection vulnerability
Unauthenticated Time-Based Blind SQL Injection vulnerability discovered by daroo in WordPress Plugin WordPress CTA versions = 2.2.2...
Malicious code in cbr-internal-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa96f42fade399b9e73756e2abd62eafbfa11e2eb02fe1055d9c7e025fba4ab7 On module load, the package's main entrypoint shells out via childprocess.exec to run cat /etc/passwd and prints the contents to stdout. This fires...
MAL-2026-10530 Malicious code in cbr-internal-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa96f42fade399b9e73756e2abd62eafbfa11e2eb02fe1055d9c7e025fba4ab7 On module load, the package's main entrypoint shells out via childprocess.exec to run cat /etc/passwd and prints the contents to stdout. This fires...
Malicious code in neteller (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 167278e6d334ec3629d24f3031e8dd2920ebbbdfd9ea4918cde2fd1d60e41c3c Package name and description impersonate the Paysafe-owned Neteller payment brand, with a fake repository URL 'github.com/paysafe/neteller'. The...
MAL-2026-10538 Malicious code in neteller (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 167278e6d334ec3629d24f3031e8dd2920ebbbdfd9ea4918cde2fd1d60e41c3c Package name and description impersonate the Paysafe-owned Neteller payment brand, with a fake repository URL 'github.com/paysafe/neteller'. The...
CVE-2026-11802
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration function, accessible via the wpajaxnoprivregistrationaction AJAX action, lacks any nonce verification or capability check, and...
CVE-2026-11802 FoodBook Lite <= 1.5.6 - Missing Authorization to Unauthenticated User Registration via 'registration_action' AJAX Action
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration function, accessible via the wpajaxnoprivregistrationaction AJAX action, lacks any nonce verification or capability check, and...
CVE-2026-11802
The CVE covers the FoodBook Lite WordPress plugin (up to version 1.5.6). The registration() function exposed via the wp_ajax_nopriv_registration_action AJAX action lacks nonce verification, lacks capability checks, and does not honor WordPress users_can_register before calling wp_insert_user(). T...
CVE-2026-11802
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration function, accessible via the wpajaxnoprivregistrationaction AJAX action, lacks any nonce verification or capability check, and...
EUVD-2026-43610
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration function, accessible via the wpajaxnoprivregistrationaction AJAX action, lacks any nonce verification or capability check, and...
PT-2026-57951
The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration function, accessible via the wp ajax nopriv registration action AJAX action, lacks any nonce verification or capability check,...
SIP Sustainable Irrigation Platform 5.x CSRF Disable Passphrase Authorization
Summary SIP is a free Raspberry Pi based Python program for controlling irrigation systems sprinkler, drip, hydroponic, etc. It uses web technology to provide an intuitive user interface UI in several languages. The UI can be accessed in your favorite browser on desktop, laptop, and mobile device...
GHSA-VRR2-G9GH-C3JC Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
Summary The Timesheet API PATCH /api/timesheets/id and POST /api/timesheets endpoints accept a user-supplied project ID and resolve it through a Symfony EntityType whose querybuilder allows the submitted ID to satisfy the access predicate via an unconditional OR branch. As a result, any...
Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass
Summary The Timesheet API PATCH /api/timesheets/id and POST /api/timesheets endpoints accept a user-supplied project ID and resolve it through a Symfony EntityType whose querybuilder allows the submitted ID to satisfy the access predicate via an unconditional OR branch. As a result, any...
GHSA-PGCC-VFMC-7CW5 Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
Summary Kimai 2.56.0 contains authenticated cross-site request forgery issues in its default team creation shortcuts for projects, customers, and activities. These endpoints are exposed through GET routes and directly create or reuse a Team, add the current user as teamlead, and bind the target...
Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes
Summary Kimai 2.56.0 contains authenticated cross-site request forgery issues in its default team creation shortcuts for projects, customers, and activities. These endpoints are exposed through GET routes and directly create or reuse a Team, add the current user as teamlead, and bind the target...
GHSA-C67F-GMXW-MJ93 FacturaScripts: Account takeover of any 2FA-enabled user
Authentication bypass in FacturaScripts: /login?action=two-factor-validation accepts brute-forceable TOTP without password or CSRF protection Summary Core/Controller/Login.php::twoFactorValidationAction accepts an unauthenticated POST containing only fsNick and fsTwoFactorCode. If the TOTP value...
FacturaScripts: Account takeover of any 2FA-enabled user
Authentication bypass in FacturaScripts: /login?action=two-factor-validation accepts brute-forceable TOTP without password or CSRF protection Summary Core/Controller/Login.php::twoFactorValidationAction accepts an unauthenticated POST containing only fsNick and fsTwoFactorCode. If the TOTP value...