|
1001
|
7.1 |
HIGH
Network
|
-
|
-
|
Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log i…
Update
|
CWE-89
SQL Injection
|
CVE-2021-47980
|
2026-05-19 02:26 |
2026-05-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1002
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription par…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2021-47981
|
2026-05-19 02:26 |
2026-05-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1003
|
7.1 |
HIGH
Network
|
-
|
-
|
Redaxo CMS Addon MyEvents 2.2.1 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the myevents_id parameter. Att…
Update
|
CWE-89
SQL Injection
|
CVE-2018-25319
|
2026-05-19 02:26 |
2026-05-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1004
|
4.3 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authentic…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-45007
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1005
|
6.5 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit tr…
Update
|
CWE-73
External Control of File Name or Path
|
CVE-2026-45008
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1006
|
4.3 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login statu…
Update
|
CWE-863
Incorrect Authorization
|
CVE-2026-45009
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1007
|
9.1 |
CRITICAL
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session bind…
Update
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-45010
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1008
|
7.5 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims. Attac…
Update
|
CWE-89
SQL Injection
|
CVE-2026-46359
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1009
|
5.4 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass san…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-46360
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1010
|
6.9 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protect…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-46361
|
2026-05-19 02:25 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
