vulnerability research
CVE
11
CVEs disclosed
/
The admin_update_upload() handler overwrites an existing file with newly uploaded content without validating the uploaded file's type or extension against the upload whitelist. The upload_tester() helper only checks the PHP upload error code and the file size — it does not enforce an extension allowlist. Additionally, files in the current uploads_path directory can be listed and downloaded via the admin panel, exposing application internals when the path is redirected to a sensitive directory.
2026-06-11
CVE-2026-53768: Incomplete Directory Blocklist in uploads_path Validation Allows Access to Sensitive Application Files
High
/
8.7
An authenticated administrator can set the uploads_path setting to a sensitive application directory (e.g. tools/) because the directory blocklist used to validate the path is incomplete. This allows the application's upload directory to be pointed at directories that contain executable PHP files.
2026-06-11
CVE-2026-54597: Authenticated Time-Based Blind SQL Injection in ITFlow via expires Parameter
High
/
8.3
The share_generate_link handler inserts the expires GET parameter directly into a MySQL INTERVAL expression without quoting it. sanitizeInput() escapes quote characters via mysqli_real_escape_string(), which is only effective in string contexts. The INTERVAL unit position is a raw SQL expression context where no quoting occurs, so the escape is bypassed entirely. Any authenticated user with module_support write permission can perform time-based blind SQL injection to read any data from the database.
2026-06-06
CVE-2026-54596: Authenticated SQL Injection via recurring_invoice_frequency Parameter Enables Full Database Exfiltration
High
/
8.1
An SQL injection vulnerability in ITFlow's recurring invoice creation endpoint allows any authenticated user with the Technician role to exfiltrate arbitrary data from the database. A Technician who has access to at least one client invoice can extract admin password hashes, SMTP credentials, and all user account data in a single HTTP request -without any admin interaction.
2026-06-06
CVE-2026-48493: Privilege Escalation via Insufficient Permission Validation in User Update API - Snipe-IT
Medium
/
5.5
Snipe-IT's user update API endpoint (PATCH /api/v1/users/{id}) does not sufficiently validate the permissions payload submitted by authenticated users. The PreserveUnauthorizedPrivilegedPermissionsAction class only strips superuser and admin flags from incoming requests; all other module-level permissions (e.g., assets.delete, licenses.keys, users.delete) pass through without any restriction or ownership ceiling validation. This allows an authenticated attacker with limited privileges (such as users.edit) to escalate their privileges vertically and perform unauthorized actions across the system.
2026-05-28
CVE-2026-48492: User Account Enumeration via Unauthenticated selectlist Endpoint - Snipe-IT
Low
/
3.3
The GET /api/v1/users/selectlist endpoint is missing the view.selectlists authorization check present in all other selectlist controllers. Any authenticated user with zero permissions can enumerate all user accounts, harvest usernames, full names, employee numbers, and perform indirect email enumeration via the search parameter.
2026-05-21
CVE-2026-55476: Unauthorized Asset Request Cancellation via Unguarded cancel_by_admin Parameter - Snipe-IT
Medium
/
6.5
The route POST /account/request/{itemType}/{itemId}/{cancel_by_admin?}/{requestingUser?} accepts cancel_by_admin as a plain URL path segment with no authorization check. Any authenticated user regardless of permissions can set this parameter to a truthy value and supply a victim's user ID to silently cancel that user's pending asset requests. The attacker only needs an active session; no elevated privilege is required.
2026-05-21
CommonMark is configured with html_input => 'escape', which blocks raw HTML injection. However, javascript: URIs in Markdown hyperlinks are not sanitized. A user with assets.edit permission can inject a malicious link into any markdown-textarea custom field. Any user who opens the asset detail page and clicks the link executes arbitrary JavaScript in their browser session.
2026-05-21
The vulnerability resides in the Django CMS admin panel under the Page Editing interface, specifically when utilizing the "Add plugin to placeholder 'Page Content'" feature. Malicious payloads can be injected into the "Attributes" field of plugins like "card" or "badge," leading to Stored XSS attacks.
2024-11-20
The vulnerabilities were identified in django-filer 3.2.3, a file management application commonly used with django CMS. These issues allow attackers to bypass upload restrictions for HTML and SVG files, potentially uploading malicious files containing scripts that execute on the client side.
2024-11-20
Django CMS version 4.1.3 is affected by a stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject arbitrary JavaScript code that is executed in the context of the web application, potentially compromising the safety of all users visiting the affected page.
2024-11-18