Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Actuator CloudFoundry endpoints. An attacker can gain unauthorized access to protected endpoints by sending requests to application endpoints declared under the CloudFound...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Actuator CloudFoundry endpoints. An attacker can gain unauthorized access to protected endpoints by sending requests to application endpoints declared under the CloudFound...

PT-2026-26562

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $ POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real escape string was applied, it only escapes...

PT-2026-26610

Name of the Vulnerable Software and Affected Versions affected versions not specified Description The error description parameter is susceptible to Reflected Cross-Site Scripting XSS. An attacker can circumvent the website's Web Application Firewall WAF by utilizing a payload specifically designe...

ROS-20260318-73-0001

A vulnerability in the ModSecurity web application security module exists due to insufficient input validation during URL processing. Exploitation of the vulnerability could allow an attacker acting remotely to bypass WAF rules...

EUVD-2025-208779

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external...

Fortinet FortiWeb OS Command Injection Vulnerability (CNVD-2026-14602)

Fortinet FortiWeb is a Web application layer firewall from the U.S. company Fita Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning and other attacks to ensure the security of Web applications and protect sensitive database content. A...

EUVD-2026-12395

Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/pets/print-tags'. This vulnerability could allow an authenticated user to alter a POST request to the affected endpoint for the purpose of injecting NoSQL commands,...

CVE-2026-3021

Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL...

CVE-2026-3021 Non-relational SQL injection vulnerability (NoSQLi) in the Wakyma application web

Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL...

PT-2026-25672

Name of the Vulnerable Software and Affected Versions Wakyma affected versions not specified Description A non-relational SQL injection NoSQLi issue exists in the Wakyma web application. An authenticated user can modify a POST request sent to the ''vets.wakyma.com/pets/print-tags'' endpoint to...

PT-2026-25670

Non-relational SQL injection vulnerability NoSQLi in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/centro/equipo/empleado'. This vulnerability could allow an authenticated user to alter a GET request to the affected endpoint for the purpose of injecting special NoSQL...

OliveTin Path Traversal Vulnerability

OliveTin is OliveTin open source a Web application . OliveTin has a path traversal vulnerability, which is caused by an unsafe resolution of UniqueTrackingId, and can be exploited by an attacker to traverse directories on the system...

CVE-2019-25540 Netartmedia PHP Mall 4.1 Multiple SQL Injection

Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various parameters. Attackers can craft malicious requests with SQL payloads to extract sensitive database information includi...

CVE-2019-25523 XooGallery Lastest Latest SQL Injection via cat.php

XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to cat.php with malicious catid values to bypass authentication, extract sensitive data...

CVE-2026-32133

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

EUVD-2026-11414

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. Th...

CVE-2026-30235

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM...

CVE-2026-30919

facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS also known as persistent or second-order XSS occurs when an application receives data from an untrusted source and includes that data in its subsequent HTTP responses in an unsafe manner. Thi...

GHSA-775H-3XRC-C228 Parse Server has a rate limit bypass via batch request endpoint

Impact Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle...