CVE-2026-27793

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...

EUVD-2025-24397

Malicious code in bioql PyPI...

EUVD-2024-54347

Malicious code in bioql PyPI...

CVE-2025-27236 User information disclosure via api_jsonrpc.php on method user.get with param search

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to...

SUSE CVE-2024-42325

Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc...

CVE-2024-42325

Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc...

CVE-2024-42325

Zabbix API user.get returns all users that share common group with the calling user. This includes media and other information, such as login attempts, etc...

CVE-2024-38467

Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized user information retrieval via the queryUser API...

GHSA-97JG-43C9-Q6PF Unauthenticated user can retrieve the list of users through uorgsuggest.vm

A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem...

CVE-2020-10804

In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username in libraries/classes/Server/Privileges.php and libraries/classes/UserPassword.php. A malicious user with access to the server could create a crafted username, and then...

SQL Injection

zeppelin-server is vulnerable to SQL injection attacks. The username value is used directly in a SQL statement when retrieving a user list through rest. If an attacker was able to save a username with SQL code in it, this would get executed when the list was being retrieved...

X7 Chat 2.0.5 - day SQL Injection

X7 Chat 2.0.5 - day SQL Injection !/usr/bin/python Exploit for xchat 2.0.5 Saca los usuarios y los hash By nonroot - 2008 it's a PoC, please use responsibly import string,urllib import sys,re print "Target host: i.e: http://127.0.0.1/x7chat/" host=rawinput"Target host include http and /: " print...

evisioncms-exec.txt

!/usr/bin/php -q -d shortopentag=on ...need i say more? Bug 2 admin/functions.php: if isset$COOKIE'adminlang' $languageselector = $COOKIE'adminlang'; else $languageselector = "en"; include"lang/".$languageselector.".php"; ...speaks for it self really. Bug 3 ; $sql = "SELECT stylecss FROM template...

Dokeos 1.6.5 - 'courseLog.php?scormcontopen' SQL Injection

!/usr/bin/perl -w Dokeos = 1.6.5 SQL Injection Exploit Discovered by: Silentz Payload: Admin Username & Hash Retrieval Website: http://www.w4ck1ng.com Vulnerable Code courseLog.php: if $GET'scormcontopen' includeonceapigetlibrarypath.'/database.lib.php'; include'../scorm/XMLencode.php';...

FreeBSD-SA-00:26.popper

-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:26 Security Advisory FreeBSD, Inc. Topic: popper port contains remote vulnerability REVISED Category: ports Module: popper Announced: 2000-07-05 Revised: 2000-07-11...