CVE-2026-35503

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these...

📄 Webb Fontaine Trade Portal Information Disclosure

A security vulnerability was identified in the Webb Fontaine Trade Portal affecting the codification module /trade/help/codification. The issue allows unauthorized users to trigger data export functionality via the /export/excel endpoint without proper validation of session state or user...

CVE-2026-25875

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims role and scope without enforcing server-side role verification...

CVE-2026-25875

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims role and scope without enforcing server-side role verification...

CVE-2026-25875

PlaciPy 1.0.0 is affected by CVE-2026-25875 where the admin authorization middleware trusts client-controlled JWT claims (role and scope) without server-side verification. This can enable privilege escalation or unauthorized admin-level actions by an attacker presenting manipulated JWTs. The CVSS...

CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The admin authorization middleware trusts client-controlled JWT claims role and scope without enforcing server-side role verification...

PT-2026-7161

Name of the Vulnerable Software and Affected Versions PlaciPy version 1.0.0 Description PlaciPy is a placement management system for educational institutions. The admin authorization middleware in version 1.0.0 trusts client-controlled JWT claims, specifically the role and scope, without performi...

PlaciPy 安全漏洞

PlaciPy is an open-source employment management system developed by Praskla Technology. It aims to simplify the employment processes for students, trainers, and administrators in educational institutions. Version 1.0.0 of PlaciPy contains a security vulnerability. This vulnerability stems from th...

CVE-2024-3884

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows...

EUVD-2025-84360

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the...

CVE-2025-12788

CVE-2025-12788 concerns the Hydra Booking — Appointment Scheduling & Booking Calendar WordPress plugin. The vulnerability affects all versions up to 1.1.27 and stems from missing server-side verification of payment status inside the tfhb_meeting_paypal_payment_confirmation_callback function; the ...

EUVD-2024-25202

Malicious code in bioql PyPI...

WordPress RingCentral Communications 1.6.8 Authentication Bypass

WordPress RingCentral Communications plugin versions 1.5 through 1.6.8 have a missing server-side verification that allows for authentication bypass...

CVE-2024-28029

Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality...

PT-2024-22223 · Delta Electronics +1 · Diaenergie

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue arises from incomplete server-side verification of privileges, allowing users with limited privileges to bypass authorization and access...

PT-2023-14628 · Unknown · Livebox Collaboration Vdesk

Name of the Vulnerable Software and Affected Versions: LIVEBOX Collaboration vDesk versions vDesk through v018 Description: An issue allows a Bypass of Two-Factor Authentication under the "/api/v1/vdeskintegration/challenge" endpoint. Since only the client-side verifies whether a check was...

Hubei Radio and Television Station Yangtze River Cloud Android APP suffers from overstepping access vulnerability

Yangtze River Cloud Android APP is a news and information software created by Hubei Radio and Television Station, which integrates the three functions of government affairs, news and information, and life services. A vulnerability exists in the Hubei Radio and Television Changjiang Cloud Android...

Enter: IDOR on remoing Share

Issue In case of Operator Wallets, only Owner has the permission to delete share with any user. But It is possible for any user to delete share for any other user. POC 1. Suppose a wallet BITCOINS is created by user A and shared with user B and C. 2. User B can send the following request and dele...

Square: Delayed, fraudulent transactions possible with encrypted Square Reader devices due to lack of server-side verification of device transaction counter

Although Square Readers implement encryption, possibly with a Derived Unique Key Per Transaction DUKPT scheme, the transaction counter of a Square Reader device is not verified when performing server-side decryption of swipe data. During a valid sale, a malicious merchant or third party can recor...

Design/Logic Flaw

A vulnerability has been identified in SCALANCE X-200 switch family incl. SIPLUS NET variants Versions V5.0.0 for CVE-2013-3633 and versions V4.5.0 for CVE-2013-3634, SCALANCE X-200IRT switch family incl. SIPLUS NET variants All versions V5.1.0. The user privileges for the web interface are only...