CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 6 days ago•7 views

CVE-2025-71318

NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages such as administration.html, administration-commands.html, and configuration.html to disclose sensitive information including...

9.8CVSS0.0017EPSS

EUVD•added 6 days ago•5 views

EUVD-2025-210079

9.8CVSS5.5AI score0.0017EPSS

Cvelist•added 6 days ago•23 views

CVE-2025-71318 NetMan 204 Missing Authentication for Administrative Functions

9.8CVSS0.0017EPSS

Positive Technologies•added 6 days ago•6 views

PT-2026-47014

Name of the Vulnerable Software and Affected Versions NetMan 204 affected versions not specified Description Authentication is not enforced on administrative pages and command endpoints. A remote, unauthenticated attacker can directly request pages such as 'administration.html',...

9.8CVSS5.4AI score0.0017EPSS

Exploits0References7

RedhatCVE•added 2026/04/25 10:43 a.m.•1 views

CVE-2026-22746

A flaw was found in Spring Security. If an application uses the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, an attacker can bypass the DaoAuthenticationProvider's timing attack defense. This bypass allows an attacker to potentially gain limited information...

3.7CVSS5.2AI score0.00067EPSS

Cvelist•added 2026/04/22 8:39 p.m.•25 views

CVE-2026-41167 Jellystat has SQL Injection that leads to to Remote Code Execution

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS0.00111EPSS

CVE•added 2026/04/22 8:39 p.m.•10 views

CVE-2026-41167

Jellystat prior to 1.1.10 exposes SQL injection via POST /api/getUserDetails and POST /api/getLibrary, where unsanitized request-body fields are interpolated into raw SQL. This allows an authenticated user to read any table (including app_config) and, due to node-postgres simple query usage, enab...

9.1CVSS6.1AI score0.00111EPSS

EUVD•added 2026/04/22 6:30 a.m.•1 views

EUVD-2026-24607

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.7AI score0.00067EPSS

ATTACKERKB•added 2026/04/22 5:2 a.m.•1 views

CVE-2026-22746

3.7CVSS5.7AI score0.00067EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2026/04/22 12:0 a.m.•3 views

PT-2026-34250

3.7CVSS5.7AI score0.00067EPSS

NVD•added 2026/04/21 3:16 p.m.•0 views

CVE-2026-31014

Dovestones Softwares AD Self Update 4.0.0.5 is vulnerable to Cross Site Request Forgery CSRF. The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally...

6.3CVSS0.00017EPSS

Vulnrichment•added 2026/04/21 12:0 a.m.•1 views

CVE-2026-31014

5.7AI score0.00017EPSS

Positive Technologies•added 2026/03/19 12:0 a.m.•3 views

PT-2026-26446

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

6.5CVSS5.8AI score0.00018EPSS

OSV•added 2026/03/07 2:10 a.m.•2 views

GHSA-5Q8V-J673-M5V4 Firefly III user API endpoints expose all users' information to any authenticated user (IDOR)

Summary The User management API endpoints GET /api/v1/users and GET /api/v1/users/id are accessible to any authenticated user without admin/owner role verification, exposing all users' email addresses, roles, and account status. Affected Endpoints 1. GET /api/v1/users UserController::index, line ...

7.1CVSS5.8AI score

NVD•added 2026/02/11 9:16 p.m.•2 views

CVE-2020-37173

AVideo Platform 8.1 contains an information disclosure vulnerability that allows attackers to enumerate user details through the playlistsFromUser.json.php endpoint. Attackers can retrieve sensitive user information including email, password hash, and administrative status by manipulating the...

8.7CVSS0.0014EPSS

Exploits1References4

OSV•added 2026/02/11 9:16 p.m.•4 views

CVE-2020-37173

7.5CVSS5.5AI score

CNNVD•added 2026/02/11 12:0 a.m.•4 views

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Version 8.1 of WWBN AVideo contains a security vulnerability. This vulnerability stems from information leakage, and it could allow attackers to enumerate user details through the playlistsFromUser.json.ph...

8.7CVSS5.8AI score0.0014EPSS

Exploits1References4

OSV•added 2026/01/26 2:49 p.m.•6 views

BIT-MOODLE-2025-3640 Moodle: idor in web service allows users enrolled in a course to access some details of other users

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access...

4.3CVSS5.8AI score0.00163EPSS