1122 matches found
CVE-2026-44961
The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing...
CVE-2026-44957
A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with...
CVE-2026-34917
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context web/API is now...
EUVD-2026-38502
A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with...
EUVD-2026-38504
The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper validation has been added where it was missing...
CVE-2026-44957
The CVE-2026-44957 vulnerability affects Revive Adserver 6.0.6 and earlier, where a missing access control check in the XML-RPC API modify methods allowed entities to be reassigned to different parent entities, causing inconsistent ownership. The issue is exploitable only in combination with CVE-...
CVE-2026-34917
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context web/API is now...
CVE-2026-44961
The CVE-2026-44961 entry affects Revive Adserver’s XML‑RPC addUser API. The flaw is a validation bypass introduced in the fix for CVE-2025‑55129, enabling username-based impersonation or stored XSS unless proper validation is present. The available documents confirm that correct validation has no...
Zoho ManageEngine - Remote Code Execution
Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary...
Apache OFBiz < 18.12.10 - Arbitrary Code Execution
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. id: CVE-2023-49070 info: name: Apache OFBiz 18.12.10 - Arbitrary Code Execution author: your3cho severity: critical description: | Pre-auth RCE in Apach...
Apache OFBiz 17.12.03 - Cross-Site Scripting
Apache OFBiz 17.12.03 contains cross-site scripting and unsafe deserialization vulnerabilities via an XML-RPC request. id: CVE-2020-9496 info: name: Apache OFBiz 17.12.03 - Cross-Site Scripting author: dwisiswant0 severity: medium description: Apache OFBiz 17.12.03 contains cross-site scripting a...
Revive Adserver: XML‑RPC login leak exposes valid session ID enabling unauthorized API access
Vulnerability description not provided...
Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : XML-RPC for C and C++ vulnerabilities (USN-8313-1)
The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8313-1 advisory. It was discovered that Expat, vendored in XML-RPC, incorrectly handled certain files. An...
Exploit for CVE-2026-8832
EXPLOIT CVE-2026-8832 !Bannerhttps://img.shields.io/badge/...
Exploit for Incorrect Default Permissions in Supervisord Supervisor
LAB 3 — Supervisord XML-RPC Remote Code Execution CVE-2017-11...
PT-2026-43573
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability type or capability...
Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: xmlrpc (UTSA-2026-016592)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016592 advisory. An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC aka ws-xmlrpc library. A malicious...
CVE-2026-44193
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restoreconfigsection fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7...
CVE-2026-44193 OPNsense: RCE via XMLRPC endpoint using `opnsense.restore_config_section` method
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restoreconfigsection fails to sanitize user supplied input leading to Remote Code Execution. This vulnerability is fixed in 26.1.7...
CVE-2025-69691
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.execphp. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code...