runZero Vulnerability Templates

WordPress Campress Theme <= 1.35 - Unauthenticated Local File Inclusion (critical)

Tue, 12 May 2026 13:39:15 +0000

Campress theme for WordPress up to 1.35 contains a local file inclusion caused by 'campress_woocommerce_get_ajax_products' function, letting unauthenticated attackers include and execute arbitrary PHP files, exploit requires no authentication.

Severity: critical · Category: http-cves · CVEs: CVE-2024-10763

EspoCRM - Detect (info)

Tue, 12 May 2026 13:39:15 +0000

EspoCRM panel was detected.

Severity: info · Category: http-exposed-panels

Blinko - Login Panel Detection (info)

Mon, 11 May 2026 16:18:19 +0000

Detected A Blinko self-hosted personal note application login panel.

Severity: info · Category: http-exposed-panels

Tattile Camera < 1.181.5 - Default Login (high)

Mon, 11 May 2026 16:18:19 +0000

Tattile Smart+, Vega, and Basic device families firmware <= 1.181.5 contain a broken authentication caused by default credentials not forced to be changed, letting attackers with management interface access gain administrative privileges.

Severity: high · Category: http-cves · CVEs: CVE-2026-26341

IBM MobileFirst Foundation - Default Credentials (critical)

Fri, 08 May 2026 17:28:25 +0000

Detected IBM MobileFirst Foundation Operations Console was found using default credentials. The administration REST API exposes full control over mobile application backends including adapter management, push notification infrastructure, OAuth security configuration, and application authenticity enforcement.

Severity: critical · Category: http-default-logins

Linkwarden Panel - Detect (info)

Wed, 06 May 2026 22:08:47 +0000

Linkwarden (linkwarden.app / github.com/linkwarden/linkwarden) is a popular open-source self-hosted bookmark and link archiving manager. Default Docker port 3000. Exposed instances may reveal users' archived link collections, screenshots, and PDFs.

Severity: info · Category: http-exposed-panels

Windmill Panel - Detect (info)

Wed, 06 May 2026 22:08:47 +0000

Windmill panel was detected. Windmill (windmill.dev) is an open-source developer platform for workflows, scripts and internal apps, often self-hosted as a Postgres-backed UI. Exposed instances may reveal scripts, secrets and connected resources, and provide an authenticated path to script execution.

Severity: info · Category: http-exposed-panels

Airbyte Panel - Detect (info)

Wed, 06 May 2026 22:08:47 +0000

Airbyte panel was detected. Airbyte is a popular open-source data integration platform.

Severity: info · Category: http-exposed-panels

OpenBao Web UI Panel - Detect (info)

Wed, 06 May 2026 22:08:47 +0000

Detects the presence of the OpenBao web console.

Severity: info · Category: http-exposed-panels

Apache ActiveMQ 6.x < 6.1.2 - Broken Access Control (high)

Wed, 06 May 2026 22:08:47 +0000

Apache ActiveMQ 6.x contains an unauthenticated API web context caused by default configuration lacking security measures in the Jetty server, letting anyone interact with broker APIs and messaging layers, exploit requires no authentication.

Severity: high · Category: http-cves · CVEs: CVE-2024-32114

Laravel Login - Panel Detection (info)

Wed, 06 May 2026 22:08:47 +0000

A Laravel login panel was detected.

Severity: info · Category: http-exposed-panels

MLflow Job API - Authentication Bypass (critical)

Wed, 06 May 2026 22:08:47 +0000

MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/* when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions.

Severity: critical · Category: http-cves · CVEs: CVE-2026-0545

Mealie Panel - Detect (info)

Wed, 06 May 2026 22:08:47 +0000

Detected Mealie was a self-hosted recipe manager and meal planner with a Vue/Nuxt frontend and FastAPI backend.

Severity: info · Category: http-exposed-panels

DataEase 2.10.4-2.10.7 - Remote Code Execution (critical)

Wed, 06 May 2026 22:08:47 +0000

DataEase prior to version 2.10.8 contains a remote code execution caused by insecure backend JDBC link handling, letting authenticated users execute arbitrary code, exploit requires user authentication.

Severity: critical · Category: http-cves · CVEs: CVE-2025-32966

ZITADEL Panel - Detect (info)

Wed, 06 May 2026 22:08:47 +0000

Detected ZITADEL was an open-source identity infrastructure platform providing OIDC, OAuth 2.0, SAML and machine-user IAM.

Severity: info · Category: http-exposed-panels

Paperless-ngx Panel - Detect (info)

Wed, 06 May 2026 22:08:47 +0000

Detected Paperless-ngx was a self-hosted document management platform for scanning, OCR-ing and tagging paper documents.

Severity: info · Category: http-exposed-panels

Device42 Panel - Detect (info)

Mon, 04 May 2026 17:12:58 +0000

Device42 was detected — a Discovery, Asset Management and Dependency Mapping for Data Center and Cloud.

Severity: info · Category: http-exposed-panels

cPanel & WHM - Authentication Bypass via Session-File CRLF Injection (critical)

Mon, 04 May 2026 17:12:58 +0000

cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Severity: critical · Category: http-cves

Claris FileMaker Server Admin Console - Detect (info)

Mon, 04 May 2026 17:12:58 +0000

Claris FileMaker Server Admin Console panel was detected.

Severity: info · Category: http-exposed-panels

Supabase Studio Panel - Detect (info)

Mon, 04 May 2026 17:12:58 +0000

Supabase Studio login panel was detected. The admin dashboard shipped with Supabase, the popular open-source Firebase alternative (Postgres + auth + realtime + storage + edge functions).

Severity: info · Category: http-exposed-panels

ChurchCRM - API Authentication Bypass via URL Injection (critical)

Mon, 04 May 2026 17:12:58 +0000

ChurchCRM < 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public

Severity: critical · Category: http-cves · CVEs: CVE-2026-39339

Langflow < 1.9.0 - Remote Code Execution (critical)

Mon, 04 May 2026 17:12:58 +0000

Langflow versions prior to 1.9.0 are vulnerable to unauthenticated remote code execution (RCE) via the build_public_tmp endpoint. Attackers can submit a manipulated flow JSON containing Python code that is executed during the build process without proper sandboxing.

Severity: critical · Category: http-cves · CVEs: CVE-2026-33017

Mesop AI Sandbox <= 1.2.2 - Remote Code Execution (critical)

Mon, 04 May 2026 17:12:58 +0000

Mesop <= 1.2.2 contains an unrestricted remote code execution caused by unauthenticated ingestion and execution of base64-encoded Python code in the /exec-py endpoint of ai/testing module, letting attackers execute arbitrary commands on the host, exploit requires HTTP access to the server.

Severity: critical · Category: http-cves · CVEs: CVE-2026-33057

FormLift for Infusionsoft Web Forms <= 7.5.17 - SQL Injection (critical)

Mon, 04 May 2026 17:12:58 +0000

The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to SQL Injection via the 'form_id' parameter in versions up to, and including, 7.5.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Severity: critical · Category: http-cves · CVEs: CVE-2024-38773

Outline Panel - Detect (info)

Mon, 04 May 2026 17:12:58 +0000

Outline (getoutline.com / github.com/outline/outline) is a popular open-source team knowledge base / wiki, often self-hosted as a Notion alternative. Exposed self-hosted instances may reveal team documents and provide a path to login enumeration if SSO is misconfigured.

Severity: info · Category: http-exposed-panels

RestroPress 3.0.0-3.2.1 - Authentication Bypass (critical)

Thu, 23 Apr 2026 20:11:17 +0000

RestroPress Online Food Ordering System WordPress plugin 3.0.0 to 3.1.9.2 contains an authentication bypass caused by exposure of user private tokens and API data via /wp-json/wp/v2/users endpoint, letting unauthenticated attackers forge JWT tokens and authenticate as other users including administrators, exploit requires no authentication.

Severity: critical · Category: http-cves · CVEs: CVE-2025-9209

Avaya Phone Web Interface - Default Login (high)

Thu, 23 Apr 2026 20:11:17 +0000

Avaya phone web interface contains a default login vulnerability. An attacker can obtain access to sensitive information, modify data, and/or execute unauthorized operations.

Severity: high · Category: http-default-logins

MajorDoMo - Unauthenticated RCE (critical)

Thu, 23 Apr 2026 20:11:17 +0000

MajorDoMo contains a remote code execution caused by an include order bug and lack of exit after redirect in admin panel's PHP console, letting unauthenticated attackers execute arbitrary PHP code via crafted GET requests.

Severity: critical · Category: http-cves · CVEs: CVE-2026-27174

Rclone RC - Broken Access Control (critical)

Thu, 23 Apr 2026 20:11:17 +0000

Rclone >= 1.45.0 and < 1.73.5 contains a broken access control vulnerability caused by unauthenticated access to the RC endpoint `options/set` allowing mutation of global runtime configuration, letting unauthenticated attackers access sensitive administrative functions, exploit requires RC server started without global HTTP authentication.

Severity: critical · Category: http-cves · CVEs: CVE-2026-41176

Apache Superset - Default Login (high)

Thu, 23 Apr 2026 20:11:17 +0000

Apache Superset instance discovered using weak default credentials, allows the attacker to gain admin privilege.

Severity: high · Category: http-default-logins

Export WP Page to Static HTML <= 4.3.4 - Cookie Exposure (critical)

Thu, 23 Apr 2026 20:11:17 +0000

Export WP Page to Static HTML & PDF WordPress plugin <= 4.3.4 contains a sensitive information exposure caused by publicly exposed cookies.txt files with authentication cookies, letting unauthenticated attackers access sensitive authentication data, exploit requires site administrator to trigger backup with specific user role.

Severity: critical · Category: http-cves · CVEs: CVE-2025-11693

WP Directory Kit <= 1.4.4 - Authentication Bypass (critical)

Thu, 23 Apr 2026 20:11:17 +0000

The WP Directory Kit plugin for WordPress version 1.4.4 and below contains an authentication bypass vulnerability in its auto-login functionality. The vulnerability allows unauthenticated attackers to gain administrative access by exploiting a cryptographically weak token generation mechanism that uses only the first 10 characters of MD5(user_id). For user_id=1 (typically admin), the token is always predictable.

Severity: critical · Category: http-cves · CVEs: CVE-2025-13390

Fortinet FortiSandbox Panel - Detect (info)

Thu, 23 Apr 2026 20:11:17 +0000

Fortinet FortiSandbox login panel was discovered.

Severity: info · Category: http-exposed-panels

Vendure Core - SQL Injection (critical)

Fri, 17 Apr 2026 18:59:39 +0000

Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or input validation, allowing unauthenticated attackers to execute arbitrary SQL commands. This can lead to full database disclosure and denial of service.

Severity: critical · Category: http-cves · CVEs: CVE-2026-40887

Nginx UI - Broken Access Control (critical)

Thu, 16 Apr 2026 15:25:44 +0000

Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover.

Severity: critical · Category: http-cves · CVEs: CVE-2026-33032

OpenHands Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

OpenHands (formerly OpenDevin) was detected. OpenHands is an open-source AI software engineering agent platform that can write code, run commands, and perform development tasks autonomously. Exposed instances may allow unauthenticated access to the agent.

Severity: info · Category: http-exposed-panels

H2O Wave ML Application Server - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

H2O Wave was detected. H2O Wave was an open-source Python development framework for building real-time interactive AI and ML web applications. The Wave server hosted applications built on the platform.

Severity: info · Category: http-exposed-panels

ClearML Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

ClearML was detected. ClearML is an open-source MLOps platform for experiment tracking, model management, and pipeline orchestration. Exposed instances may allow access to ML experiments, models, and infrastructure configurations.

Severity: info · Category: http-exposed-panels

Cisco Secure Firewall Management Center - Authentication Bypass (critical)

Tue, 14 Apr 2026 20:00:31 +0000

Cisco Secure Firewall Management Center Software contains an authentication bypass caused by improper system process creation at boot, letting unauthenticated remote attackers execute scripts and gain root access, exploit requires crafted HTTP requests.

Severity: critical · Category: http-cves · CVEs: CVE-2026-20079

Flowise Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

Flowise panel was detected. Flowise is an open-source drag-and-drop LLM flow builderand AI agent platform. Exposed instances may reveal AI workflow configurations, API keys, and connected data sources.

Severity: info · Category: http-exposed-panels

Easy Diffusion Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

Easy Diffusion (formerly Stable Diffusion UI) was detected. Easy Diffusion is a one-click, self-hosted Stable Diffusion web application focused on accessibility and ease of use for AI image generation. Exposed instances allow unauthenticated access to image generation capabilities and stored outputs.

Severity: info · Category: http-exposed-panels

ShowDoc Panel Detection (info)

Tue, 14 Apr 2026 20:00:31 +0000

ShowDoc panel was detected. ShowDoc was a tool for documenting APIs and interfaces.

Severity: info · Category: http-exposed-panels

AnythingLLM Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

Detects the AnythingLLM web interface.

Severity: info · Category: http-exposed-panels

SuperAGI Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

SuperAGI panel was detected. SuperAGI was an open-source autonomous AI agent platform that enables building, managing, and running AI agents. Exposed instances may allow unauthorized access to agent configurations and execution environments.

Severity: info · Category: http-exposed-panels

AstrBot - Default Login (high)

Tue, 14 Apr 2026 20:00:31 +0000

AstrBot contains a default login vulnerability. An attacker can access the AstrBot dashboard using default credentials and gain control over the chatbot framework, modify configurations, manage LLM providers, and execute unauthorized operations.

Severity: high · Category: http-default-logins

AgentGPT Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

AgentGPT was detected. AgentGPT was a browser-based autonomous AI agent platform that allows users to create, configure and deploy AI agents directly in the browser.

Severity: info · Category: http-exposed-panels

SillyTavern Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

SillyTavern was detected. SillyTavern is a character-based AI roleplay and chat frontend that connects to local or remote LLM backends. Exposed instances may allow unauthenticated access to AI models and conversation history.

Severity: info · Category: http-exposed-panels

KoboldAI Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

KoboldAI was detected. KoboldAI was an AI text adventure and story generation interface that supports multiple local and remote language models including koboldcpp and AI Horde.

Severity: info · Category: http-exposed-panels

AstrBot WebUI Login Panel - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

Astrbot WebUI login panel was detected.

Severity: info · Category: http-exposed-panels

CVAT Computer Vision Annotation Tool - Detect (info)

Tue, 14 Apr 2026 20:00:31 +0000

CVAT (Computer Vision Annotation Tool) was detected. CVAT is a widely used open-source annotation platform for labelling images, video, and 3D point clouds used to train AI/ML computer vision models.

Severity: info · Category: http-exposed-panels