Webkul Krayin CRM is Vulnerable to Cross-Site Scripting in the /admin/activities/create endpoint

Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...

GHSA-MMPX-JH39-WRV6 FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)

Summary FileBrowser Quantum serves inline SVG files without a Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links. Verified on v1.3.0-stable. Affected product - Product: FileBrowser Quantum gtsteffaniak/filebrowser - Verified...

CVE-2026-27181

MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...

Deciso OPNsense 跨站脚本漏洞

Deciso OPNsense is a set of open-source firewall and routing software based on FreeBSD developed by the Dutch company Deciso. Version Decivo OPNsense 19.1 contains a cross-site scripting vulnerability. This vulnerability stems from insufficient input validation of the value parameter in the...

Wix 跨站脚本漏洞

Wix is a website building platform provided by the Israeli company Wix. Wix has a cross-site scripting vulnerability, which stems from the improper cleanup of content by the endpoint responsible for uploading SVG images. This vulnerability may lead to reflective cross-site scripting attacks...

📄 Nagios XI Monitoring Wizard Command Injection

Nagios XI is a widely used enterprise monitoring solution. A vulnerability exists within the Monitoring Wizard configuration page where the database parameter is unsafely passed into backend operations. Authenticated users can exploit this to execute arbitrary system commands, allowing full remot...

CVE-2025-64061

Primakon Pi Portal 1.0.18 /api/v2/users endpoint is vulnerable to unauthorized data exposure due to deficient access control mechanisms. Any authenticated user, regardless of their privilege level including standard or low-privileged users, can make a GET request to this endpoint and retrieve a...

EUVD-2025-13995

Malicious code in bioql PyPI...

CVE-2025-0452

eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/update' endpoint. The application fails to properly filter the '' character, which is commonly used as a separator in Windows paths. This vulnerability allows attackers to delete...

CVE-2024-36548

idccms V1.35 was discovered to contain a Cross-Site Request Forgery CSRF via admin/vpsCompanydeal.php?mudi=del...

PT-2024-26291 · Idccms · Idccms

Name of the Vulnerable Software and Affected Versions: idccms version 1.35 Description: A Cross-Site Request Forgery CSRF issue was discovered in the component "/admin/infoType deal.php" with parameters mudi and nohrefStr. This allows for unauthorized requests. Recommendations: For idccms version...

PT-2024-25893 · Wangshen · Wangshen Secgate 3600

Name of the Vulnerable Software and Affected Versions: Wangshen SecGate 3600 up to 20240408 Description: A critical issue affects an unknown part of the file "/?g=net pro keyword import save". The manipulation of the reqfile argument leads to unrestricted upload. It is possible to initiate the...

CVE-2024-22568

FlyCms v1.0 contains a Cross-Site Request Forgery CSRF vulnerability via /system/score/del...

PT-2023-20982 · Unknown · Openapi Generator

Name of the Vulnerable Software and Affected Versions: openapi-generator versions up to v6.4.0 Description: The issue is related to a Server-Side Request Forgery SSRF in the component "/api/gen/clients/language". This allows attackers to access network resources and sensitive information via a...

PT-2021-22730 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab EE versions 8.13 and later Description: The issue concerns an endpoint that discloses names of private groups with access to a project to low-privileged users who are part of that project. Recommendations: For GitLab EE versions 8.13 a...

skymetweather.com XSS vulnerability

Vulnerable URL: http://www.skymetweather.com/pool/getfavcities?cityids=253,1322,5013,11835=prompt/OPENBUGBOUNTY/...