Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

49 matches found

GithubExploit
GithubExploitadded 2026/06/15 10:7 a.m.62 views

Exploit for CVE-2026-37072

CVE-2026-37072 Veno File Manager Project Veno File Manager Pro...

5.4AI score
Exploits0
NVD
NVDadded 2026/05/28 7:16 p.m.11 views

CVE-2026-45332

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS0.00298EPSS
Exploits1References1
EUVD
EUVDadded 2026/05/28 6:22 p.m.10 views

EUVD-2026-32980

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References1
Cvelist
Cvelistadded 2026/05/28 6:22 p.m.29 views

CVE-2026-45332 Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS0.00298EPSS
Exploits1References1
ATTACKERKB
ATTACKERKBadded 2026/05/28 6:22 p.m.6 views

CVE-2026-45332

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References2Affected Software1
OSV
OSVadded 2026/05/27 9:32 p.m.8 views

GHSA-XM76-R88J-VM3G Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Summary A Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References3
NVD
NVDadded 2026/05/27 6:16 p.m.10 views

CVE-2026-44460

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totpsetup.php is callable from a session that has only passed the password check state pendingloginuser. When the target account already has TOTP configured, the endpoint...

7.4CVSS0.00265EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/05/27 4:39 p.m.7 views

CVE-2026-44460 FileRise: TOTP Bypass via Setup Endpoint Disclosing Existing Secret

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totpsetup.php is callable from a session that has only passed the password check state pendingloginuser. When the target account already has TOTP configured, the endpoint...

7.4CVSS5.8AI score0.00265EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/05/27 4:39 p.m.40 views

CVE-2026-44460 FileRise: TOTP Bypass via Setup Endpoint Disclosing Existing Secret

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totpsetup.php is callable from a session that has only passed the password check state pendingloginuser. When the target account already has TOTP configured, the endpoint...

7.4CVSS0.00265EPSS
Exploits0References1
CVE
CVEadded 2026/05/27 4:39 p.m.12 views

CVE-2026-44460

FileRise (self-hosted web-based file manager) contains a vulnerability in /api/totp_setup.php prior to version 3.12.0. If a session has passed password check (state pending_login_user) and the target account already has TOTP configured, the endpoint decrypts and returns the existing TOTP secret i...

7.4CVSS5.8AI score0.00265EPSS
Exploits0References1
Positive Technologies
Positive Technologiesadded 2026/05/27 12:0 a.m.7 views

PT-2026-44053

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 3.12.0 Description FileRise is a self-hosted web-based file manager. The endpoint '/api/totp setup.php' can be accessed by a session that has only completed the password verification state pending login user. If the...

7.4CVSS5.8AI score0.00265EPSS
Exploits0References4
Positive Technologies
Positive Technologiesadded 2026/05/24 12:0 a.m.13 views

PT-2026-42942

Name of the Vulnerable Software and Affected Versions Edimax BR-6675nD version 1.12 Description A buffer overflow can be triggered remotely via the POST Request Handler component. The issue exists within the formPPTPSetup function located in the '/goform/formPPTPSetup' endpoint when manipulating...

9CVSS7.5AI score0.00542EPSS
Exploits0References5
NVD
NVDadded 2026/05/07 7:16 p.m.8 views

CVE-2026-41902

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

9.1CVSS0.00246EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/05/07 6:3 p.m.4 views

CVE-2026-41902

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References3Affected Software1
CVE
CVEadded 2026/05/07 6:3 p.m.12 views

CVE-2026-41902

CVE-2026-41902 affects FreeScout (Laravel-based help desk). Before v1.8.217, the endpoint /user-setup/{hash} accepts a 60-character invite_hash to set a new user’s password and does not expire the hash, leaving it valid until used. If the invite link leaks (e.g., forwarded emails, logs, or referr...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References2
EUVD
EUVDadded 2026/05/07 6:3 p.m.7 views

EUVD-2026-28405

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/05/07 12:0 a.m.7 views

PT-2026-38547

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.217 Description The '/user-setup/hash' endpoint accepts a 60-character random invite hash to set a new user's password but does not perform an expiration check, allowing the hash to remain valid indefinitely unt...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References12
Packet Storm
Packet Stormadded 2026/05/05 12:0 a.m.46 views

📄 phpMyFAQ 4.0.16 Improper Authorization

phpMyFAQ versions 4.0.16 and below suffer from an improper authorization vulnerability. Exploit Title: phpMyFAQ = 4.0.16 - Improper Authorization Google Dork: N/A Date: 2026-01-23 Exploit Author: GUIA BRAHIM FOUAD Vendor Homepage: https://www.phpmyfaq.de/ Software Link:...

6.5CVSS5.8AI score0.01734EPSS
Exploits3
CVE
CVEadded 2026/04/12 12:28 p.m.9 views

CVE-2019-25708

Heatmiser Wifi Thermostat 1.7 is affected by a cross-site request forgery (CSRF) that lets an attacker change administrator credentials by deceiving an authenticated user into submitting a crafted request to networkSetup.htm with parameters usnm, usps, and cfps. This can modify the admin username...

5.3CVSS5.7AI score0.00129EPSS
Exploits1References2Affected Software1
Cvelist
Cvelistadded 2026/04/12 12:28 p.m.29 views

CVE-2019-25708 Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters...

5.3CVSS0.00129EPSS
Exploits1References2
Rows per page
Query Builder