|
81
|
- |
|
-
|
-
|
Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_fie…
New
|
-
|
CVE-2026-4929
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
82
|
- |
|
-
|
-
|
In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.
Vector A (token display templates): When the Token module is enabled and token di…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-4093
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
83
|
7.5 |
HIGH
Network
|
-
|
-
|
Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand.
Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
New
|
CWE-331
Insufficient Entropy
|
CVE-2026-46473
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
84
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attack…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-22678
|
2026-05-22 07:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
85
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashb…
New
|
CWE-352
CWE-829
Origin Validation Error
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8428
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
86
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package ret…
New
|
CWE-352
CWE-829
Origin Validation Error
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8426
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
87
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticate…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-8421
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
88
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/da…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-8417
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
89
|
- |
|
-
|
-
|
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accid…
New
|
-
|
CVE-2026-8352
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
90
|
- |
|
-
|
-
|
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-8350
|
2026-05-22 06:16 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
