CVE-2026-45345

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This...

CVE-2026-45345

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This...

Kirby CMS's read access to site, user and role information is not gated by permissions

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. This vulnerability is of high severity for affected sites. Sites using Kirby are not affected if they intend all users of the site to be able to list and access the site...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via the lastlogintime sort order in the explore/users page. An attacker can obtain sensitive information about users' login times by querying the user exploratio...

EUVD-2025-203109

A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the argument employeeid/id/admin leads to sql injection. The attack can be initiated...

CVE-2025-14568

A security vulnerability has been detected in haxxorsid Stock-Management-System up to fbbbf213e9c93b87183a3891f77e3cc7095f22b0. This impacts an unknown function of the file model/User.php. The manipulation of the argument employeeid/id/admin leads to sql injection. The attack can be initiated...

Stock-Management-System SQL注入漏洞

Stock-Management-System is an inventory management system by Mr Erick Personal Developer. Stock-Management-System version fbbbf213e9c93b87183a3891f77e3cc7095f22b0 has a SQL injection vulnerability that stems from incorrect manipulation of the parameter employeeid/id/admin in the file...

EUVD-2021-0934

Malware in sbrugna...

EUVD-2018-13062

Malware in sbrugna...

CVE-2025-56161

YOSHOP 2.0 allows unauthenticated information disclosure via comment-list API endpoints in the Goods module. The Comment model eagerly loads the related User model without field filtering; because User.php defines no $hidden or $visible attributes, sensitive fields bcrypt password hash, mobile...

CVE-2023-23015

Cross Site Scripting XSS vulnerability in Kalkun 0.8.0 via username input in file Usermodel.php...

CVE-2018-20508

CrashFix 1.0.4 has SQL Injection via the Userstatus parameter. This is related to actionIndex in UserController.php, and the protected\models\User.php search function...

PT-2024-20354 · Vaales Technologies · V Qrs

Name of the Vulnerable Software and Affected Versions: Vaales Technologies V QRS version 2024-01-17 Description: The issue allows a remote attacker to obtain sensitive information via the Models/UserModel.php component. This is achieved through a SQL injection vulnerability. Recommendations: For...

Vaales Technologies V_QRS SQL注入漏洞

Vaales Technologies VQRS is a digital business card solution from Vaales Technologies, India. A SQL injection vulnerability exists in Vaales Technologies VQRS version v.2024-01-17, which originates from a vulnerability that allows remote attackers to obtain sensitive information via the...

Mastodon 安全漏洞

Mastodon is an open source social networking server based on ActivityPub. A security vulnerability exists in app/models/user.rb in versions prior to Mastodon 3.5.0, which can be exploited by an attacker to bypass email restrictions...

GHSA-7FJP-G4M7-FX23 User (Encrypted) Password Field Being Serialised

Impact Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed. Patches Issue has been patched in version 0.3.7-beta and onwards. Workarounds Add the 'password' field to the Users...

User (Encrypted) Password Field Being Serialised

Impact Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed. Patches Issue has been patched in version 0.3.7-beta and onwards. Workarounds Add the 'password' field to the Users...

Sql injection

OpenSNS v6.1.0 allows SQL Injection via the index.php?s=/ucenter/Config/ uid parameter because of the getNeedQueryData function in Application/Common/Model/UserModel.class.php...

Cross-site Scripting (XSS)

github.com/gogits/gogs is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the lack of sanitization in the username field of the user model...

CVE-2016-7788

SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter...