Lucene search
K

58 matches found

Cvelist
Cvelist
added 2026/07/02 7:43 p.m.37 views

CVE-2026-59101 AutoBangumi < 3.2.8 - SSRF via /api/v1/setup/test-downloader

AutoBangumi before 3.2.8 contains a server-side request forgery SSRF vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST...

6.9CVSS0.00321EPSS
Exploits0References4
CVE
CVE
added 2026/07/02 7:43 p.m.23 views

CVE-2026-59101

AutoBangumi

6.9CVSS6AI score0.00321EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:43 p.m.8 views

CVE-2026-59101

AutoBangumi before 3.2.8 contains a server-side request forgery SSRF vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST...

6.9CVSS6AI score0.00321EPSS
Exploits0References5
OSV
OSV
added 2026/07/02 7:43 p.m.3 views

CVE-2026-59101 AutoBangumi < 3.2.8 - SSRF via /api/v1/setup/test-downloader

AutoBangumi before 3.2.8 contains a server-side request forgery SSRF vulnerability that allows unauthenticated remote attackers to probe internal network services by supplying arbitrary host values to an unprotected setup endpoint. Attackers can send requests to the POST...

6.9CVSS6.2AI score0.00321EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.15 views

PT-2026-55301

Name of the Vulnerable Software and Affected Versions AutoBangumi versions prior to 3.2.8 Description An unauthenticated remote attacker can probe internal network services via a server-side request forgery SSRF issue. By providing arbitrary host values to the 'POST /api/v1/setup/test-downloader'...

6.9CVSS6.2AI score0.00321EPSS
Exploits0References10
NVD
NVD
added 2026/06/30 5:16 p.m.12 views

CVE-2026-58376

Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. Th...

7.6CVSS0.00221EPSS
Exploits0References4
CVE
CVE
added 2026/06/30 3:59 p.m.17 views

CVE-2026-58376

Dolibarr

7.6CVSS6AI score0.00221EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/30 3:59 p.m.9 views

EUVD-2026-40363

Dolibarr through 23.0.3, fixed in commit 14db36e, contains a sql injection vulnerability that allows authenticated API users to exfiltrate arbitrary database contents by supplying malicious values to the sqlfilters query parameter in the setup dictionary and multicurrencies REST API endpoints. Th...

7.6CVSS6AI score0.00221EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53933

Name of the Vulnerable Software and Affected Versions Dolibarr versions prior to 23.0.3 Description Authenticated API users can exfiltrate arbitrary database contents, including password hashes and API keys, via a SQL injection. The issue occurs when malicious values are supplied to the sqlfilter...

7.6CVSS6.1AI score0.00221EPSS
Exploits0References11
GithubExploit
GithubExploit
added 2026/06/15 10:7 a.m.86 views

Exploit for CVE-2026-37072

CVE-2026-37072 Veno File Manager Project Veno File Manager Pro...

5.4AI score
Exploits0
NVD
NVD
added 2026/05/28 7:16 p.m.13 views

CVE-2026-45332

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS0.00298EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 6:22 p.m.9 views

CVE-2026-45332

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/05/28 6:22 p.m.36 views

CVE-2026-45332 Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS0.00298EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/28 6:22 p.m.16 views

EUVD-2026-32980

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References1
OSV
OSV
added 2026/05/27 9:32 p.m.9 views

GHSA-XM76-R88J-VM3G Automad has Broken Access Control: Unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint

Summary A Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The /api/user-collection/create-first-user setup endpoint remains publicly accessible once initial configuration is...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References3
NVD
NVD
added 2026/05/27 6:16 p.m.14 views

CVE-2026-44460

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totpsetup.php is callable from a session that has only passed the password check state pendingloginuser. When the target account already has TOTP configured, the endpoint...

7.4CVSS0.00265EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/27 4:39 p.m.43 views

CVE-2026-44460 FileRise: TOTP Bypass via Setup Endpoint Disclosing Existing Secret

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totpsetup.php is callable from a session that has only passed the password check state pendingloginuser. When the target account already has TOTP configured, the endpoint...

7.4CVSS0.00265EPSS
Exploits0References1
CVE
CVE
added 2026/05/27 4:39 p.m.17 views

CVE-2026-44460

FileRise (self-hosted web-based file manager) contains a vulnerability in /api/totp_setup.php prior to version 3.12.0. If a session has passed password check (state pending_login_user) and the target account already has TOTP configured, the endpoint decrypts and returns the existing TOTP secret i...

7.4CVSS5.8AI score0.00265EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/27 4:39 p.m.8 views

CVE-2026-44460 FileRise: TOTP Bypass via Setup Endpoint Disclosing Existing Secret

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totpsetup.php is callable from a session that has only passed the password check state pendingloginuser. When the target account already has TOTP configured, the endpoint...

7.4CVSS5.8AI score0.00265EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.13 views

PT-2026-44053

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 3.12.0 Description FileRise is a self-hosted web-based file manager. The endpoint '/api/totp setup.php' can be accessed by a session that has only completed the password verification state pending login user. If the...

7.4CVSS5.8AI score0.00265EPSS
Exploits0References4
Rows per page
Query Builder