153 matches found
CVE-2026-50881
Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes...
CVE-2026-48612
Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover...
EUVD-2026-34289
A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit. When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could cra...
CVE-2026-44443
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail call fails...
EUVD-2026-31982
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail call fails...
Cross-site Request Forgery (CSRF)
Overview opencart/opencart is a shopping cart system Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the /account/edit endpoint. An attacker can alter account details, such as email addresses, by tricking users into visiting malicious pages, and subsequentl...
Infoopia Dovestones AD Self Update 安全漏洞
Infoopia Dovestones AD Self Update is a self-service catalog information update tool developed by the Canadian company Infoopia. Versions of Infoopia Dovestones AD Self Update prior to 4.0.0.5 contained security vulnerabilities. These vulnerabilities stemmed from the lack of CSRF token protection...
Exploit for CVE-2026-39912
CVE-2026-39912 - Xboard / V2Board Unauth Account Takeover M...
CVE-2026-4283
The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the super-unsubscribe AJAX action accepting a processnow parameter from unauthenticated users, which bypasses the intended email-confirmation...
phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint
Summary The WebAuthn prepare endpoint /api/webauthn/prepare creates new active user accounts without any authentication, CSRF protection, CAPTCHA, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Details File:...
PT-2026-6687
Name of the Vulnerable Software and Affected Versions SourceCodester Gas Agency Management System version 1.0 Description A flaw exists due to improper access controls in the processing of the /gasmark/php action/createUser.php file. This allows for unauthorized creation of accounts. The issue is...
CVE-2019-12502
There is a lack of CSRF countermeasures on MOBOTIX S14 MX-V4.2.1.61 cameras, as demonstrated by adding an admin account via the /admin/access URI...
PT-2025-51071
Name of the Vulnerable Software and Affected Versions Postem Ipsum versions up to and including 3.0.1 Description The Postem Ipsum plugin for WordPress has a flaw that allows unauthorized modification of data, leading to privilege escalation. Attackers with Subscriber-level access or higher can...
CVE-2025-65831
The application uses an insecure hashing algorithm MD5 to hash passwords. If an attacker obtained a copy of these hashes, either through exploiting cloud services, performing TLS downgrade attacks on the traffic from a mobile device, or through another means, they may be able to crack the hash in...
CVE-2025-65795
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request...
EUVD-2025-201723
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request...
GHSA-MG56-WC4Q-RW4W memos vulnerability allows the creation of arbitrary accounts
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request...
memos vulnerability allows the creation of arbitrary accounts
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request...
CVE-2025-65795
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request...
CVE-2025-65795
Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request...