7.7
CVE-2020-37153 - ASTPP VoIP 4.0.1 - Remote Code Execution
ASTPP 4.0.1 contains multiple vulnerabilities including cross-site scripting and command injection in SIP device configuration and plugin management interfaces. Attackers can exploit these flaws to inject system commands, hijack administrator sessions, and potentially execute arbitrary code with roβ¦
8.7
CVE-2020-37104 - ASTPP 4.0.1 VoIP Billing - Database Backup Download
ASTPP 4.0.1 contains an information disclosure vulnerability that allows unauthenticated attackers to download database backup files by predicting backup filename patterns. Attackers can generate a list of 6-digit PIN combinations and fuzz the backup download URL to exfiltrate sensitive database inβ¦
5.1
CVE-2019-25313 - FlexNet Publisher 11.12.1 - Cross-Site Request Forgery (Add Local Admin)
FlexNet Publisher 11.12.1 contains a cross-site request forgery vulnerability that allows attackers to create administrative user accounts without authentication. Attackers can craft a malicious HTML form to trick authenticated users into submitting a request that creates a new local admin account β¦
8.6
CVE-2026-25935 - Vikunja Affected by XSS Via Task Preview
Vikunja is a todo-app to organize your life. Prior to 1.1.0, TaskGlanceTooltip.vue temporarily creates a div and sets the innerHtml to the description. Since there is no escaping on either the server or client side, a malicious user can share a project, create a malicious task, and cause an XSS on β¦
8.5
CVE-2026-25924 - Kanboard is Missing Access Control on Plugin Installation leading to Administrative RCE
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface wβ¦
8.7
CVE-2026-25759 - Statmatic affected by privilege escalation via stored cross-site scripting
Statmatic is a Laravel and Git powered content management system (CMS). From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Maliciouβ¦
4.6
CVE-2020-37215 - MSN Password Recovery 1.30 - Denial of Service
MSN Password Recovery version 1.30 contains a denial of service vulnerability that allows attackers to crash the application by supplying an oversized input in the registration code field. Attackers can generate a 9000-byte buffer of repeated characters and paste it into the 'User Name and Registraβ¦
8.7
CVE-2020-37214 - Voyager 1.3.0 - Directory Traversal
Voyager 1.3.0 contains a directory traversal vulnerability that allows attackers to access sensitive system files by manipulating the asset path parameter. Attackers can exploit the path parameter in /admin/voyager-assets to read arbitrary files like /etc/passwd and .env configuration files.
6.7
CVE-2020-37213 - TextCrawler Pro3.1.1 - Denial of Service
TextCrawler Pro 3.1.1 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized buffer in the license key field. Attackers can generate a 6000-byte payload and paste it into the activation field to trigger an application crash.
4.6
CVE-2020-37212 - SpotMSN 2.4.6 - 'Name' Denial of Service
SpotMSN 2.4.6 contains a denial of service vulnerability in the registration name input field that allows attackers to crash the application. Attackers can generate a 1000-character payload and paste it into the 'Name' field to trigger an application crash.