EUVD-2026-11121

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the haconditionupdate AJAX action. This is due to the validatereqeust method using currentusercan'editposts', $templateid instead of...

PT-2026-5345

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls...

CVE-2020-12470

MonoX through 5.1.40.5152 allows administrators to execute arbitrary code by modifying an ASPX template...

CVE-2023-45303

ThingsBoard before 3.5 allows Server-Side Template Injection if users are allowed to modify an email template, because Apache FreeMarker supports freemarker.template.utility.Execute for content sent to the /api/admin/settings endpoint...

EUVD-2025-6950

Malicious code in bioql PyPI...

EUVD-2021-32524

Malicious code in bioql PyPI...

CVE-2024-20302

A vulnerability in the tenant security implementation of Cisco Nexus Dashboard Orchestrator NDO could allow an authenticated, remote attacker to modify or delete tenant templates on an affected system. This vulnerability is due to improper access controls within tenant security. An attacker who i...

CVE-2023-7019

The LightStart – Maintenance Mode, Coming Soon and Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the inserttemplate function in all versions up to, and including, 2.6.8. This makes it possible for authenticated...

lunary /v1/templates/{id}/versions endpoint access control error vulnerability

lunary is lunary open source a production toolkit for LLM . An access control error vulnerability exists in lunary, which stems from improper access control in the /v1/templates/id/versions endpoint, and can be exploited by an attacker to modify any user's templates...

CVE-2024-7476

A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/id/versions endpoint. This issue is resolved in version 1.4....

CVE-2024-7476

The CVE-2024-7476 issue is a broken access control in lunary-ai/lunary versions 1.2.7 through 1.4.2. The root cause is improper access control on the /v1/templates/{id}/versions endpoint, which allows an authenticated attacker to modify any user’s templates by sending a crafted HTTP POST request....

CVE-2024-7476 Broken Access Control in lunary-ai/lunary

A broken access control vulnerability exists in lunary-ai/lunary versions 1.2.7 through 1.4.2. The vulnerability allows an authenticated attacker to modify any user's templates by sending a crafted HTTP POST request to the /v1/templates/id/versions endpoint. This issue is resolved in version 1.4....

Lunary 访问控制错误漏洞

lunary is lunary open source a production toolkit for LLM . An access control error vulnerability exists in lunary, which stems from improper access control in the /v1/templates/id/versions endpoint, and can be exploited by an attacker to modify any user's templates...

velocity: arbitrary code execution when attacker is able to modify templates

A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity...

velocity: arbitrary code execution when attacker is able to modify templates

A flaw was found in velocity. An attacker, able to modify Velocity templates, may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. The highest threat from this vulnerability is to data confidentiality and integrity...

PT-2024-36072 · Unknown · Winter Cms

Name of the Vulnerable Software and Affected Versions: Winter CMS versions prior to 1.2.7 Winter CMS versions prior to 1.1.11 Winter CMS versions prior to 1.0.476 Description: The issue allows users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on...

CVE-2024-9706

The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ucsmactivatelitetemplatelite function in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to change...

CVE-2024-5382

The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ma-template' REST API route in all versions up to, and including, 2.0.6.1. This makes it...

WordPress Master Addons plugin <= 2.0.6.1 - Missing Authorization to MA Template Creation or Modification vulnerability

Missing Authorization to MA Template Creation or Modification vulnerability discovered by Webbernaut in WordPress Plugin Master Addons for Elementor versions = 2.0.6.1...

Dreamer CMS Security Vulnerability

Dreamer CMS is a Dreamer Content Management System by Junnan Wang, an individual developer in China. A security vulnerability exists in Dreamer CMS versions prior to 4.0.1, which stems from a directory traversal vulnerability. An attacker can exploit this vulnerability to modify template files or...