CVE-2026-9860 Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...

SUSE CVE-2024-48908

lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...

CVE-2011-5306

Cross-site request forgery CSRF vulnerability in cgi-bin/admin/setupedit.cgi in CosmoShop ePRO 10.05.00 allows remote attackers to hijack the authentication of administrators for requests that modify settings via a setup action...

VulnCheck KEV: CVE-2025-30154

reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs...

CVE-2011-5306

Cross-site request forgery CSRF vulnerability in cgi-bin/admin/setupedit.cgi in CosmoShop ePRO 10.05.00 allows remote attackers to hijack the authentication of administrators for requests that modify settings via a setup action...

CVE-2011-5306

CVE-2011-5306 describes a Cross-Site Request Forgery (CSRF) vulnerability in CosmoShop ePRO 10.05.00. The flaw affects the CGI component cgi-bin/admin/setup_edit.cgi and enables remote attackers to hijack the authentication of administrators for requests that modify settings via a setup action. T...

CVE-2011-4329

Multiple cross-site scripting XSS vulnerabilities in Dolibarr 3.1.0 allow remote attackers to inject arbitrary web script or HTML via 1 the username parameter in a setup action to admin/company.php, or the PATHINFO to 2 admin/securityother.php, 3 admin/events.php, or 4 admin/user.php...

PT-2011-4932 · Dolibarr · Dolibarr

Name of the Vulnerable Software and Affected Versions: Dolibarr version 3.1.0 Description: The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the username parameter in a setup action to "admin/company.php", or the PATH INFO to "admin/security...

Cross site request forgery (csrf)

LightNEasy/lightneasy.php in LightNEasy No database version 1.2 allows remote attackers to obtain the hash of the administrator password via the setup "do" action to LightNEasy.php, which is cleared from $GET but later accessed using $REQUEST...

CVE-2008-6537

LightNEasy/lightneasy.php in LightNEasy No database version 1.2 allows remote attackers to obtain the hash of the administrator password via the setup "do" action to LightNEasy.php, which is cleared from $GET but later accessed using $REQUEST...