Exploit Database

146,848 exploits tracked across all sources.

Sort: Activity Stars
CVE-2026-28792 GITHUB CRITICAL
ssw/tinacms/cli < 2.1.8 - Unauthenticated Path Traversal and Arbitrary File Write via CORS Misconfiguration
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
by alaeddine03
CVSS 9.6
CVE-2026-29066 GITHUB MEDIUM
ssw/tinacms/cli < 2.1.8 - Unauthenticated Arbitrary File Read via Vite Dev Server Misconfiguration
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
by alaeddine03
CVSS 6.2
CVE-2026-28793 GITHUB HIGH
TinaCMS CLI <2.1.8 - Path Traversal
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/*, /media/upload/*, and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.
by alaeddine03
CVSS 8.4
CVE-2026-31280 NOMISEC MEDIUM
Parani M10 Motorcycle Intercom 2.1.3 - DoS
An issue in the Bluetooth RFCOMM service of Parani M10 Motorcycle Intercom v2.1.3 allows unauthorized attackers to cause a Denial of Service (DoS) via supplying crafted RFCOMM frames.
by CipherX1802
CVSS 6.5
CVE-2026-7229 GITHUB MEDIUM
code-projects Coaching Management System POST reply.php sql injection
A vulnerability was found in code-projects Coaching Management System 1.0. This affects an unknown function of the file /cims/modules/admin/reply.php of the component POST Handler. Performing a manipulation of the argument complaintreply results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
by Xmyronn
CVSS 6.3
CVE-2025-44560 WRITEUP CRITICAL
owntone-server 2ca10d9 - Buffer Overflow
owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.
CVSS 9.8
CVE-2025-66447 WRITEUP NONE
Chamilo LMS has validation-less redirect on login page
Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.
CVE-2026-29002 WRITEUP HIGH
CouchCMS Privilege Escalation via f_k_levels_list Parameter
CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment.
CVSS 7.2
CVE-2026-29861 WRITEUP CRITICAL
PHP-MYSQL-User-Login-System 1.0 - SQL Injection
PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.
CVSS 9.8
CVE-2026-31262 WRITEUP MEDIUM
Altenar Sportsbook Software Platform 2.0 - XSS
Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter
CVSS 6.1
CVE-2026-31939 WRITEUP HIGH
Path Traversal (Arbitrary File Delete) in Chamilo LMS
Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38.
CVSS 8.3
CVE-2026-31940 WRITEUP HIGH
Session Fixation in Chamilo LMS
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS 7.5
CVE-2026-31941 WRITEUP HIGH
Server-Side Request Forgery (SSRF) in Chamilo LMS
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS 7.7
CVE-2026-32893 WRITEUP MEDIUM
Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3.
CVSS 5.4
CVE-2026-32894 WRITEUP HIGH
Chamilo LMS Gradebook Results - Insecure Direct Object Reference
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS 7.1
CVE-2026-35594 WRITEUP MEDIUM
Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0.
CVSS 6.5
CVE-2026-35595 WRITEUP HIGH
Vikunja Affected by Privilege Escalation via Project Reparenting
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.
CVSS 8.3
CVE-2026-35596 WRITEUP MEDIUM
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.
CVSS 4.3
CVE-2026-35597 WRITEUP MEDIUM
Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then unconditionally rolls back. HandleFailedTOTPAuth in pkg/user/totp.go uses an in-memory counter (key-value store) to track failed attempts. When the counter reaches 10, it calls user.SetStatus(s, StatusAccountLocked) on the same database session s. Because the login handler always rolls back after a TOTP failure, the StatusAccountLocked write is undone. The in-memory counter correctly increments past 10, so the lockout code executes on every subsequent attempt, but the database write is rolled back every time. This allows unlimited brute-force attempts against TOTP codes. This vulnerability is fixed in 2.3.0.
CVSS 5.9
CVE-2026-35598 WRITEUP MEDIUM
Vikunja has Missing Authorization on CalDAV Task Read
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0.
CVSS 4.3
CVE-2026-35599 WRITEUP MEDIUM
Vikunja <2.3.0 Repeating Task Handler - Denial of Service
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.
CVSS 6.5
CVE-2026-35600 WRITEUP MEDIUM
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0.
CVSS 5.4
CVE-2026-35619 WRITEUP MEDIUM
OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint
OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the stricter WebSocket RPC authorization checks.
CVSS 4.3
CVE-2026-35620 WRITEUP MEDIUM
OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.
CVSS 5.4
CVE-2026-35643 WRITEUP HIGH
OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface
OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.
CVSS 8.8