Unknown · CVSS Not scored
The "userModify" feature of Silverpeas Core 6.3.1 is vulnerable to Cross Site Request Forgery (CSRF) leading to privilege escalation. If an administrator goes to a malicious URL while being authenticated to the Silverpeas application, the CSRF with execute making the attacker an administrator user in the application.
Published Dec 13, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control via the "Porlet Deployer" which allows administrators to deploy .WAR portlets.
Published Dec 13, 2023 · Updated Jul 9, 2026
High · CVSS 8.1
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function of putting the application in "Maintenance Mode" due to broken access control. This makes the application unavailable to all users. This affects Silverpeas Core 6.3.1 and below.
Published Dec 13, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php.
Published Dec 28, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in lmxcms v.1.41 allows a remote attacker to execute arbitrary code via a crafted script to the admin.php file.
Published Nov 2, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in ABO.CMS v.5.9.3 allows an attacker to execute arbitrary code via a crafted payload to the Referer header.
Published Jan 17, 2024 · Updated Jul 9, 2026
High · CVSS 7.2
File Upload vulnerability PMB v.7.4.8 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted PHP file uploaded to the start_import.php file.
Published Jan 11, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier is vulnerable to Execution with Unnecessary Privileges.
Published Feb 6, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An OS command injection vulnerability in Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature.
Published Feb 6, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.4
A vulnerability in Solar-Log Base 15 Firmware 6.0.1 Build 161, and possibly other Solar-Log Base products, allows an attacker to escalate their privileges by exploiting a stored cross-site scripting (XSS) vulnerability in the switch group function under /#ilang=DE&b=c_smartenergy_swgroups in the web portal. The vulnerability can be exploited to gain the rights of an installer or PM, which can then be used to gain administrative access to the web portal and execute further attacks. NOTE: The vendor states that this vulnerability has been fixed with 3.0.0-60 11.10.2013 for SL 200, 500, 1000 / not existing for SL 250, 300, 1200, 2000, SL 50 Gateway, SL Base.
Published Feb 2, 2024 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component.
Published Oct 24, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A vulnerability in the web-based interface of the RUCKUS Cloudpath product on version 5.12 build 5538 or before to could allow a remote, unauthenticated attacker to execute persistent XSS and CSRF attacks against a user of the admin management interface. A successful attack, combined with a certain admin activity, could allow the attacker to gain full admin privileges on the exploited system.
Published Oct 19, 2023 · Updated Jul 9, 2026
High · CVSS 8.2
An issue in Tamaki_hamanoki Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
Published Jan 3, 2024 · Updated Jul 9, 2026
Unknown · CVSS Not scored
In the module "Rotator Img" (posrotatorimg) in versions at least up to 1.1 from PosThemes for PrestaShop, a guest can perform SQL injection.
Published Oct 19, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A buffer overflow in Macrium Reflect 8.1.7544 and below allows attackers to escalate privileges or execute arbitrary code.
Published Oct 10, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Dreamer CMS v4.1.3 was discovered to contain an arbitrary file read vulnerability via the component /admin/TemplateController.java.
Published Sep 26, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101.
Published Nov 2, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in craftbeer bar canvas mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token (via captured network traffic).
Published Dec 7, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Cross-Site Request Forgery (CSRF) in admin_manager.php of Seacms up to v12.8 allows attackers to arbitrarily add an admin account.
Published Sep 25, 2023 · Updated Jul 9, 2026
High · CVSS 7.5
An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.
Published Oct 4, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
DedeBIZ v6.2.11 was discovered to contain multiple remote code execution (RCE) vulnerabilities at /admin/file_manage_control.php via the $activepath and $filename parameters.
Published Sep 26, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A stored cross-site scripting (XSS) vulnerability in the Website column management function of DedeBIZ v6.2.11 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the title parameter.
Published Sep 26, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A deserialization vulnerability in Afterlogic Aurora Files v9.7.3 allows attackers to execute arbitrary code via supplying a crafted .sabredav file.
Published Oct 3, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
TOTOLINK A3700R V9.1.2u.6134_B20201202 and N600R V5.3c.5137 are vulnerable to Incorrect Access Control.
Published Sep 25, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross-site scripting (XSS) vulnerability in Froala Froala Editor v.4.1.1 allows remote attackers to execute arbitrary code via the 'Insert link' parameter in the 'Insert Image' component.
Published Sep 25, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in Turing Video Turing Edge+ EVC5FD v.1.38.6 allows remote attacker to execute arbitrary code and obtain sensitive information via the cloud connection components.
Published Oct 31, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Scripting vulnerability in xdsoft.net Jodit Editor v.4.0.0-beta.86 allows a remote attacker to obtain sensitive information via the rich text editor component.
Published Sep 19, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in xui-xray v1.8.3 allows attackers to obtain sensitive information via default password.
Published Sep 18, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the cmd parameter in the index.php component.
Published Sep 27, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Request Forgery vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the txt parameter in the index.php component.
Published Sep 27, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the txt parameter in the index.php component.
Published Sep 27, 2023 · Updated Jul 9, 2026
High · CVSS 8.8
An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter.
Published Sep 28, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter.
Published Sep 27, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the ID parameter in the index.php component.
Published Sep 27, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the subcmd parameter in the index.php component.
Published Sep 28, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted script to the title parameter in the index.php component.
Published Sep 28, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Scripting vulnerability in phpkobo AjaxNewTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the index.php component.
Published Sep 27, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
Published Nov 7, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Cross Site Scripting (XSS) in Webmail Calendar in IceWarp 10.3.1 allows remote attackers to inject arbitrary web script or HTML via the "p4" field.
Published Sep 12, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
File Upload vulnerability in adlered bolo-solo v.2.6 allows a remote attacker to execute arbitrary code via a crafted script to the authorization field in the header.
Published Sep 5, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A stored cross-site scripting (XSS) vulnerability in the Usermin Configuration function of Webmin v2.100 allows attackers to execute arbitrary web sripts or HTML via a crafted payload injected into the Custom field.
Published Sep 15, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue was discovered in Webmin 2.100. The File Manager functionality allows an attacker to exploit a Cross-Site Scripting (XSS) vulnerability. By providing a malicious payload, an attacker can inject arbitrary code, which is then executed within the context of the victim's browser when any file is searched/replaced.
Published Sep 15, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A reflected cross-site scripting (XSS) vulnerability in the File Manager function of Webmin v2.100 allows attackers to execute malicious scripts via injecting a crafted payload into the Replace in Results file.
Published Sep 15, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A reflected cross-site scripting (XSS) vulnerability in the File Manager function of Webmin v2.100 allows attackers to execute malicious scripts via injecting a crafted payload into the Find in Results file.
Published Sep 15, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A stored cross-site scripting (XSS) vulnerability in Webmin v2.100 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cloned module name parameter.
Published Sep 15, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A SQL injection vulnerability in Nagios XI 5.11.1 and below allows authenticated attackers with privileges to manage host escalations in the Core Configuration Manager to execute arbitrary SQL commands via the host escalation notification settings.
Published Sep 19, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A SQL injection vulnerability in Nagios XI v5.11.1 and below allows authenticated attackers with announcement banner configuration privileges to execute arbitrary SQL commands via the ID parameter sent to the update_banner_message() function.
Published Sep 19, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A Cross-site scripting (XSS) vulnerability in Nagios XI version 5.11.1 and below allows authenticated attackers with access to the custom logo component to inject arbitrary javascript or HTML via the alt-text field. This affects all pages containing the navbar including the login page which means the attacker is able to to steal plaintext credentials.
Published Sep 19, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
A SQL injection vulnerability in Nagios XI from version 5.11.0 up to and including 5.11.1 allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php
Published Sep 19, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
Published Aug 28, 2023 · Updated Jul 9, 2026