Skip to main content
CVE-2018-25354 MEDIUM POC This Month

Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Jomres
NVD Exploit-DB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2018-25343 MEDIUM POC This Month

Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2018-25349 MEDIUM POC This Month

userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-47124 MEDIUM PATCH GHSA This Month

Cross-tenant server telemetry disclosure in Nezha Monitoring's WebSocket endpoint allows any authenticated non-admin member to receive live infrastructure data for all servers on the platform, regardless of ownership. The dashboard's `/api/v1/ws/server` WebSocket handler (`ws.go:123-139`) uses a binary member/guest switch instead of per-object `HasPermission` checks, bypassing the object-level authorization that correctly governs the REST API. An authenticated member exploiting this can continuously stream CPU/GPU metrics, memory and disk usage, network transfer rates, agent versions, and uptime for servers belonging to other tenants. No public exploit or CISA KEV listing identified at time of analysis, though the GitHub advisory (GHSA-hvv7-hfrh-7gxj) includes a detailed static proof-of-concept.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-47157 MEDIUM PATCH GHSA This Month

Server-Side Request Forgery in aiograpi before 0.9.10 allows an adjacent-network attacker to redirect Instagram challenge-handling HTTP requests to arbitrary attacker-controlled hosts, exfiltrating the client's active session headers including authentication tokens. The library trusted server-supplied signup challenge paths and used them verbatim to construct outbound URLs without first verifying the path remained within Instagram's API domain. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog, but the high confidentiality impact (CVSS C:H) reflects that session credential theft is the direct outcome of a successful attack.

SSRF
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy