CVE-2026-24042 Appsmith public apps can execute unpublished actions (viewMode confusion)

Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished edit-mode actions by sending viewMode=false or omitting it to POST /api/v1/actions/execute. This bypasses the...

CVE-2025-34113

An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the viewmode GET parameter in tiki-calendar.php. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execu...

Tiki Wiki CMS Calendar Remote Code Execution Vulnerability

Tiki Wiki CMS Groupware is a suite of open source content management and portal applications from the Tiki software community that can be used to create web applications, portals, corporate intranets, extranets, and more. A remote code execution vulnerability exists in the viewmode parameter of t...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in links.php in Beehive Forum 0.7.1 allow remote attackers to inject arbitrary web script or HTML via the 1 viewmode, 2 fid, and 3 sortdir parameters, different vectors than CVE-2005-4460...