Lucene search
K

2191 matches found

Github Security Blog
Github Security Blog
added 2026/06/23 10:11 p.m.12 views

Snipe-IT's selectlist visibility is too permissive

Impact The GET /api/v1/object/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This...

7.1CVSS5.9AI score0.00385EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/06/23 4:14 p.m.6 views

EUVD-2026-38503

A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to th...

5.7AI score0.00339EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 4:14 p.m.42 views

CVE-2026-44960

A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to th...

0.00339EPSS
Exploits0References1
NVD
NVD
added 2026/06/19 6:16 p.m.12 views

CVE-2019-25755

Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION...

8.8CVSS0.00366EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/19 5:25 p.m.4 views

CVE-2019-25755

Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION...

8.8CVSS6.3AI score0.00366EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/06/19 5:25 p.m.6 views

EUVD-2019-20191

Joomla Component vReview 1.9.11 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cmId parameter. Attackers can send POST requests to the editReview task endpoint with URL-encoded SQL UNION...

8.8CVSS6.3AI score0.00366EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.18 views

PT-2026-48936

Name of the Vulnerable Software and Affected Versions Mattermost versions prior to 11.6.2 Mattermost versions prior to 11.5.5 Mattermost versions prior to 10.11.17 Description A failure to validate that a username returned during bot registration belongs to a bot account allows an unprivileged...

5.3CVSS5.9AI score0.0019EPSS
Exploits0References4
Malwarebytes
Malwarebytes
added 2026/06/11 11:31 a.m.28 views

VRChat says reported data breach never happened

A data breach notice has been filed with the Maine Attorney General, saying more than 2.4 million users of VRChat have had their data breached. The question is, was it VRChat who filed the breach notice, or did someone pretending to represent the company post it instead? On Reddit, a VRChat...

5.4AI score
Exploits0
NVD
NVD
added 2026/06/10 10:17 p.m.13 views

CVE-2026-48011

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue...

3.7CVSS0.00223EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/10 8:7 p.m.14 views

EUVD-2026-36120

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue...

3.7CVSS5.4AI score0.00223EPSS
Exploits0References3
CVE
CVE
added 2026/06/10 8:7 p.m.27 views

CVE-2026-48011

Summary of CVE-2026-48011 (Shopware) : A timing-attack in the admin authentication flow enables an attacker to enumerate administrator usernames. The issue is in the OAuth user lookup path (UserRepository::getUserEntityByUserCredentials). If a username is not found, the code returns quickly; if f...

3.7CVSS5.4AI score0.00223EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/10 8:7 p.m.34 views

CVE-2026-48011 Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue...

3.7CVSS0.00223EPSS
Exploits0References3
CVE
CVE
added 2026/06/10 12:38 p.m.27 views

CVE-2026-49498

Ghidra 11.0 before 12.1 is affected by a SQL injection in PostgresFunctionDatabase.changePassword(), which fails to escape double quotes in usernames interpolated into ALTER ROLE statements. Authenticated attackers can craft username parameters in PasswordChange network messages to inject SQL com...

8.8CVSS5.7AI score0.00259EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:38 p.m.12 views

CVE-2026-21730

Verba is affected by a Stored Cross-Site Scripting XSS vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using an incorrect username and password combination, the supplied username value is recorded in the application logs. Due to lack of...

6.1CVSS5.5AI score0.00205EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:30 p.m.13 views

CVE-2026-42866

Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's writetxt, writecsv, writejson, and commented-but-shipping scanfile helpers open their output as openf"user.", where user comes unsanitized from the -u CLI flag or any line of a -U usernames file. A userna...

6.7CVSS5.6AI score0.00145EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.13 views

CVE-2026-8672

Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: before 25.3.0...

5.1CVSS5.5AI score0.00105EPSS
Exploits0References1
OSV
OSV
added 2026/06/04 7:31 p.m.9 views

GHSA-7W52-7JVM-M9VW Shopware: Timing-attack on admin panel allowing enumeration of administrator usernames

Summary There is a Proof of Concept which is able to enumerate the usernames of administrator users. This was possible by performing a timing attack. Details The faulty code exists in src/Core/Framework/Api/OAuth/UserRepository.php: public function getUserEntityByUserCredentials string $username,...

3.7CVSS5.8AI score0.00223EPSS
Exploits0References5
NVD
NVD
added 2026/06/04 2:16 p.m.14 views

CVE-2019-25732

PHP EI-Tube Script 3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can send GET requests to the search endpoint with crafted SQL payloads in the query parameter to...

8.8CVSS0.00262EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/04 1:22 p.m.8 views

CVE-2019-25730

Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to pages.php with crafted id values using error-based SQL injection techniques to...

8.8CVSS6.2AI score0.0027EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/06/04 1:22 p.m.39 views

CVE-2019-25730 Listing Hub CMS 1.0 SQL Injection via pages.php id

Listing Hub CMS 1.0 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to pages.php with crafted id values using error-based SQL injection techniques to...

8.8CVSS0.0027EPSS
Exploits0References5
Rows per page
Query Builder