categories
tags
Vulnerability Research·CVE·Injection
CVE-2026-54597: Authenticated Time-Based Blind SQL Injection in ITFlow
Technical breakdown of an authenticated time-based blind SQL injection in ITFlow (GHSA-m63v-j7fw-hq2h). CVE-2026-54597.The expires parameter in agent/ajax.php bypasses sanitizeInput() entirely in a raw INTERVAL context, enabling full database exfiltration. Detailed PoC and fix analysis.
2026-06-03
117
1
7 min read
CVE·Vulnerability Research
CVE-2026-48493: Privilege Escalation via Permission Bypass in Snipe-IT
Technical breakdown of CVE-2026-48493: Users with users.edit permission escalate to near-full system access via PreserveUnauthorizedPrivilegedPermissionsAction bypass. Detailed PoC and impact analysis.
2026-05-28
152
2
3 min read
Vulnerability Research·CVE
·
enumeration·CVE
CVE-2026-55476: Snipe-IT Unauthorized Asset Request Cancellation via cancel_by_admin IDOR
Technical writeup of CVE-2026-55476 in Snipe-IT <= v8.5.0. Any authenticated user can cancel other users asset requests via a missing authorization check on the cancel_by_admin URL parameter.
2026-05-28
53
3
3 min read
CVE·Vulnerability Research
·
CVE
CVE-2026-48492: User Account Enumeration via Missing Authorization in Snipe-IT
Technical breakdown of CVE-2026-48492: A missing authorization flaw in Snipe-IT allowing authenticated users to enumerate accounts via the API.
2026-05-27
485
4
3 min read
Rce·CVE
·
Rce
FacturaScripts <= 2026 Authenticated RCE via Malicious Plugin Upload
Detailed vulnerability analysis of an Authenticated Remote Code Execution (RCE) in FacturaScripts (<= 2026). Explore the PoC via malicious plugin upload and learn about server hardening mitigations.
2026-05-01
294
2
3 min read
Rce·CVE
·
Rce·CMS
.NET Deserialization Leading to Remote Code Execution (CVE-2019-18211)
This blog post explains the black-box exploitation of Composite C1 CMS via CVE-2019-18211. The deserialization vulnerability in the EntityTokenSerializer class allows attackers to achieve remote code execution (RCE) on the server. Step-by-step attack and mitigation recommendations are provided.
2025-08-15
1328
13
3 min read
CVE·File Upload Bypass
·
CVE·File Upload Bypass
CVE-2024-11404: Medium Severity File Upload Vulnerabilities in django-filer 3.2.3
Unrestricted Upload of File with Dangerous Type, Improper Input Validation, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in django CMS Association django Filer allows Input Data Manipulation, Stored XSS.This issue affects django Filer: from 3 before 3.3.
2024-11-20
5320
2
5 min read
Xss·CVE
·
CMS·CVE
Django CMS 4.1.3 Stored XSS Vulnerability: Exploiting the Page Title Field
CVE-2024-11319 Discover the stored XSS vulnerability in Django CMS 4.1.3 that affects the Page Title field. Learn about the security risks, exploitation methods, and remediation strategies to protect your site from potential attacks. CVE-2024-11319
stored XSS vulnerability, Django CMS 4.1.3, CVE-2024-11319, JavaScript injection, Django CMS 4.1.3 CVE-2024-11319, admin panel security, Cross-Site Scripting, security patch, CVE, content security policy, input sanitization
2024-11-11
4585
15
3 min read