EUVD-2018-21919

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST...

EUVD-2026-32602

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

Lumiverse 竞争条件问题漏洞

Lumiverse is a full-featured AI chat application suite developed by Prolix OCs’ individual developers. Versions of Lumiverse prior to 0.9.7 contained a race condition vulnerability. This vulnerability stemmed from the fact that the consumeNonce function only checked whether module-level variables...

Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity

Summary According to SignalK's security documentation, when a server is first initialized without security enabled, the /skServer/enableSecurity endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design. However, the critical...

EUVD-2020-31039

HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user...

PT-2026-6587

Name of the Vulnerable Software and Affected Versions HRSALE version 1.1.8 Description HRSALE version 1.1.8 is susceptible to a cross-site request forgery condition. This allows attackers to add unauthorized administrative users via the employee registration form. An attacker can create a malicio...

CVE-2020-37046

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative...

CVE-2020-37046 Sistem Informasi Pengumuman Kelulusan Online 1.0 - Cross-Site Request Forgery

Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative...

CVE-2020-37046

The Vuln is CSRF in Sistem Informasi Pengumuman Kelulusan Online 1.0, exploitable via the tambahuser.php endpoint to add unauthorized admin accounts. The issue allows craftable HTML forms to submit admin credentials without victim consent. Concrete details across connected records identify the vu...

EUVD-2025-204014

Open Source Point of Sale opensourcepos is a web based point of sale application written in PHP using CodeIgniter framework. Starting in version 3.4.0 and prior to version 3.4.2, a Cross-Site Request Forgery CSRF vulnerability exists in the application's filter configuration. The CSRF protection...

CVE-2023-53895 PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...

CVE-2023-53895 PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...

EUVD-2025-25065

Malicious code in bioql PyPI...

CVE-2025-6080

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticat...

CVE-2025-6080

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticat...

CVE-2025-6080

CVE-2025-6080 (WPGYM WordPress plugin) : The vulnerability allows unauthenticated admin account creation due to improper validation of user capabilities before adding users, enabling authenticated attackers with Subscriber level access and above to create new users, including admins. This affects...

CVE-2025-6080 WPGYM <= 67.7.0 - Missing Authorization to Admin Account Creation

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticat...

PT-2025-33523 · WordPress · Wpgym - Wordpress Gym Management System

Name of the Vulnerable Software and Affected Versions: WPGYM - Wordpress Gym Management System plugin versions prior to 67.7.1 Description: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation. This is due to the plugin not properly...

CVE-2024-35433

ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user...

PT-2025-5854 · Sourcecodester · Sourcecodester Packers/Movers Management System

Name of the Vulnerable Software and Affected Versions: SourceCodester Packers and Movers Management System version 1.0 Description: The issue allows attackers to create unauthorized admin accounts via crafted requests sent to an authenticated admin user. This is due to a Cross Site Request Forger...