EUVD-2026-31944

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to 1.8.3, AccessControlInterceptor, the authentication gate for all Struts2 actions, unconditionally calls invocation.invoke without checking for a valid session. Four action methods in BoilerPlateConfig perform no local...

SUSE SLES12 Security Update : kernel (Live Patch 73 for SUSE Linux Enterprise 12 SP5) (SUSE-SU-2026:1304-1)

The remote SUSE Linux SLES12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1304-1 advisory. This update for the SUSE Linux Enterprise Kernel 4.12.14-122.275 fixes various security issues The following security issues were fixed: -...

AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

Summary The AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck,...

GHSA-HV36-P4W4-6VMJ AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

Summary The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookiesamesite = 'None' for HTTPS connections, an unauthenticated...

CVE-2026-1740

A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpconchecksessionurl of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has...

EUVD-2026-5127

A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpconchecksessionurl of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the argument cmd causes backdoor. It is possible to initiate the attack remotely. The complexity of an...

CVE-2026-1741 EFM ipTIME A8004T Debug d.cgi httpcon_check_session_url backdoor

A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpconchecksessionurl of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the argument cmd causes backdoor. It is possible to initiate the attack remotely. The complexity of an...

EFM ipTIME A8004T 授权问题漏洞

The EFM ipTIME A8004T is a wireless router produced by the South Korean company EFM. The version 14.18.2 of the EFM ipTIME A8004T contains an authorization vulnerability. This vulnerability stems from incorrect operations on the function httpconchecksessionurl in the file/cgi/timepro.cgi, which m...

MiracleLinux 7 : java-11-openjdk-11.0.1.13-3.el7 (AXSA:2019-3622:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2019-3622:01 advisory. OpenJDK: Improper field access checks Hotspot, 8199226 CVE-2018-3169 OpenJDK: Unrestricted access to scripting engine Scripting, 8202936 CVE-2018-31...

EUVD-2017-18030

Malware in sbrugna...

CVE-2017-9091

/admin/loginc.php in Allen Disk 1.6 doesn't check if isset$SESSION'captcha''code' == 1, which leads to CAPTCHA bypass by emptying $POST'captcha'...

WordPress plugin Cliengo - Chatbot security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin... A security vulnerability...

PT-2024-20465 · Unknown · Raspberrymatic +1

Name of the Vulnerable Software and Affected Versions: RaspberryMatic / OCCU versions prior to 3.75.6.20240316 Description: RaspberryMatic is an open-source operating system for HomeMatic internet-of-things devices. The issue is caused by multiple problems within the Java-based HMIPServer.jar...

Improper Authentication

asyncua is vulnerable to Improper Authentication. The vulnerability is due to a missing active session check, which lets an attacker access an Address Space without encryption and authentication allowing an attacker to steal sensitive data...

billcapture.energycap.com XSS vulnerability

Open Bug Bounty ID: OBB-633428 Description| Value ---|--- Affected Website:| billcapture.energycap.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

From the JS files found in the"authentication bypass"vulnerability-vulnerability warning-the black bar safety net

This article content originating from a private vulnerability Bounty program. In this vulnerability the plan, accept the vulnerability range is limited to target sites of a few public functions. Based on early discovery of issues when I was invited into this plan, the other person Total submitted...

CVE-2017-9090

reg.php in Allen Disk 1.6 doesn't check if isset$SESSION'captcha''code'==1, which makes it possible to bypass the CAPTCHA via an empty $POST'captcha'...

CVE-2017-9091

/admin/loginc.php in Allen Disk 1.6 doesn't check if isset$SESSION'captcha''code' == 1, which leads to CAPTCHA bypass by emptying $POST'captcha'...

Authentication Bypass Vulnerability in Weetop CMS Backend

Weetop CMS is a web content management system developed by Hangzhou Tintop Technology Co. An authentication bypass vulnerability exists in the Weetop CMS V2.0 administration backend in the login session check processing mechanism. An attacker can bypass the forced jump without login by disabling...

CVE-2015-8398

Cross-site scripting XSS vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATHINFO to rest/prototype/1/session/check...