Qool CMS 2.0 RC2 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions on behalf of authenticated users. An attacker can craft malicious web pages that, when visited by a logged-in administrator, silently forge POST requests to the /admin/adduser endpoint to create root-level user accounts, resulting in unauthorized administrative access. The CVSS 5.3 score reflects moderate integrity impact with network attack vector and no privilege requirement, though the vulnerability requires user interaction (visiting a malicious page) to be exploited.
ZKTeco ZKBioSecurity 3.0 contains a local file path manipulation vulnerability (CWE-276) that allows unauthenticated attackers to bypass access controls and read arbitrary files including configuration files, source code, and application resources. A publicly available proof-of-concept exists, and the vulnerability has moderate real-world risk due to its local attack vector requirement but high confidentiality impact on sensitive biometric system data.
ZKTeco ZKBioSecurity 3.0 contains a local authentication bypass vulnerability in visLogin.jsp that allows low-privileged attackers to authenticate without valid credentials by spoofing IPv6 loopback addresses and leveraging hardcoded credentials. An authenticated local attacker can access sensitive information and perform unauthorized actions; public exploits are available (Packet Storm Security, Exploit-DB), indicating moderate real-world risk despite the 5.5 CVSS score reflecting local-only attack vector.
RealtyScript 4.0.2 contains a stored cross-site scripting (XSS) vulnerability in the pages.php admin interface that allows authenticated attackers to inject malicious HTML and iframe elements through the text parameter. Attackers can craft POST requests to store malicious content that executes in the browsers of users viewing affected pages. A public proof-of-concept exploit exists (Exploit-DB 38496), making this vulnerability actively exploitable by authenticated threat actors.
A cross-site scripting vulnerability in Next Click Ventures RealtyScript 4.0.2 (CVSS 6.1) that allows attackers. Risk factors: public PoC available.
Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting (XSS) vulnerabilities in the enginemanager interface where user-supplied input through parameters (appName, vhost, uiAppType, wowzaCloudDestinationType) is not properly sanitized before being returned to users. An attacker can inject malicious JavaScript to execute arbitrary code in a victim's browser session, potentially compromising administrator credentials or session tokens. A public proof-of-concept exploit exists, increasing real-world exploitation risk.
Stored cross-site scripting (XSS) vulnerability in Next Click Ventures RealtyScript 4.0.2 that allows unauthenticated attackers to inject malicious scripts through unsanitized CSV file upload filenames. When users process or view uploaded files, arbitrary JavaScript executes in their browsers with the ability to steal session cookies, modify page content, and perform actions on behalf of the victim. A public proof-of-concept exploit exists (Exploit-DB #38496), though no evidence of active KEV exploitation has been documented; the moderate CVSS score (6.1) reflects the requirement for user interaction to trigger the vulnerability.
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an authentication bypass in the Device Identifier Handler component that allows unauthenticated remote attackers to manipulate username and password parameters via the /WebService/UpdateLocalDevInfo.jsp endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
CVE-2026-4180 is an authentication bypass vulnerability in the D-Link DIR-816 router (version 1.10CNB05) affecting the redirect.asp file in the goahead component, allowing remote attackers to gain unauthorized access without authentication. A public proof-of-concept exploit is available and the affected product is no longer supported by D-Link, making this vulnerability permanently unpatched.
A critical unrestricted file upload vulnerability exists in the Profile Picture Handler component of JawherKl's node-api-postgres library (versions up to 2.5), where improper validation in the path.extname function of index.js allows attackers to upload malicious files remotely without authentication. A proof-of-concept exploit is publicly available, making this vulnerability actively exploitable, though it is not currently listed in CISA's KEV catalog and no EPSS score is provided.
SQL injection in the User.getAll function of node-api-postgres up to version 2.5 allows remote attackers to manipulate the sort parameter and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. Affected deployments using PostgreSQL with the vulnerable Node.js API library face risks of unauthorized data access, modification, and potential service disruption.
ZKTeco ZKBioSecurity 3.0 contains a cross-site request forgery (CSRF) vulnerability that allows authenticated attackers to perform unauthorized administrative actions, specifically adding superadmin accounts without proper validation. An attacker can craft malicious HTTP requests that, when visited by a logged-in administrator, silently create new superadmin credentials, effectively granting the attacker persistent unauthorized administrative access. This vulnerability requires user interaction (a logged-in admin must visit an attacker-controlled page) but does not require elevated privileges to trigger, presenting a moderate but real risk to organizations using this biometric access control system.
RealtyScript 4.0.2 contains a cross-site request forgery (CSRF) vulnerability in its user management endpoints that allows unauthenticated attackers to create arbitrary user accounts and escalate privileges to SUPERUSER level without authentication. The vulnerability affects the /admin/addusers.php and /admin/editadmins.php endpoints, which process hidden form data without CSRF token validation. An attacker can craft malicious web pages or emails containing hidden forms that, when visited by an authenticated administrator, silently create new administrative accounts under the attacker's control, leading to complete system compromise.
Wowza Streaming Engine version 4.5.0 is vulnerable to cross-site request forgery (CSRF) that allows unauthenticated attackers to perform administrative actions without user interaction. An attacker can craft a malicious webpage that, when visited by a logged-in administrator, automatically submits POST requests to create new administrative accounts with attacker-controlled credentials, effectively granting the attacker full administrative access to the streaming infrastructure. This vulnerability carries a CVSS score of 5.3 (medium severity) but represents significant real-world risk due to the simplicity of exploitation and the high-impact outcome of account creation.
RealtyScript 4.0.2 by Next Click Ventures contains both cross-site request forgery (CSRF) and persistent cross-site scripting (XSS) vulnerabilities that allow unauthenticated attackers to perform unauthorized administrative actions and inject malicious scripts into the application. An attacker can craft malicious web pages that trick authenticated users into performing unintended administrative actions, or inject persistent scripts that execute in the application context for all users. With a CVSS score of 5.3 and a network-based attack vector requiring no privileges or user interaction beyond initial application access, this represents a moderate integrity risk to affected deployments.
A DOM-based cross-site scripting (XSS) vulnerability exists in Serviio PRO's mediabrowser component that allows unauthenticated remote attackers to execute arbitrary JavaScript code in a user's browser context. The vulnerability affects multiple versions of Serviio PRO (1.6.1 through 1.8.0.0) and exploits unsafe handling of URL parameters passed from document.location to document.write(). Publicly available proof-of-concept exploits exist, making this a moderate-to-high priority vulnerability despite the CVSS 6.1 score.
Stored cross-site scripting (XSS) vulnerability in ZKTeco ZKAccess Security System 5.3.1 that allows remote attackers to inject malicious scripts via the 'holiday_name' and 'memo' POST parameters without authentication. Multiple public proof-of-concept exploits are available, making this vulnerability actively exploitable in unpatched systems.
Reflected cross-site scripting (XSS) vulnerability in ZKTeco ZKBioSecurity 3.0 that allows unauthenticated attackers to execute arbitrary HTML and JavaScript code in a victim's browser session through malicious URLs containing unsanitized parameters. The vulnerability affects all versions of ZKBioSecurity 3.0 across the product line, and publicly available exploits exist (confirmed via PacketStorm Security), making it a moderate-risk vulnerability (CVSS 6.1) with demonstrated real-world exploitation potential.
Unauthenticated attackers can modify arbitrary WordPress posts through the User Frontend plugin (versions up to 4.2.8) due to missing authorization checks in the draft_post() function, allowing them to unpublish or alter post content. The vulnerability affects all installations of the affected plugin versions without requiring authentication or user interaction. No patch is currently available.
A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2.
A security flaw has been discovered in Tecnick TCExam up to 16.6.0.
An Insecure Direct Object Reference (IDOR) vulnerability exists in the Wicked Folders plugin for WordPress (versions up to 4.1.0) within the delete_folders() function, allowing authenticated attackers with Contributor-level privileges to delete arbitrary folders created by other users due to missing validation on user-controlled folder identifiers. The vulnerability has a CVSS score of 4.3 (low-to-moderate severity) with a network attack vector requiring low privilege access and no user interaction. While the CVSS rating is moderate, the practical impact is data loss affecting legitimate users' organizational structures.