Threat Intelligence Database

CVE-2026-7468 is a medium severity vulnerability in 1024-lab smart-admin up to version 3.30.0 involving improper access controls in the /smart-admin-api/druid/index.html file of the Demo Site component. The vulnerability can be exploited remotely without authentication and has been publicly disclosed. The vendor has not yet responded or provided a fix. The CVSS 4.0 base score is 6.9, reflecting network attack vector and no required privileges or user interaction. No official patch or mitigation guidance is currently available.

A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is the function getListByPage of the file /index/Search/index.html. Executing a manipulation of the argument keyword can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was determined in wandb OpenUI up to 1.0. Affected by this vulnerability is an unknown functionality of the file frontend/public/annotator/index.html of the component Window Message Event Handler. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

A flaw has been found in dameng100 muucmf 1.9.5.20260309. Impacted is an unknown function of the file /admin/Member/index.html. This manipulation of the argument Search causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

MediumVulnerabilityChinaTaiwanSingapore+6#cve#cve-2026-4845

iCMS v8.0.0 contains a Cross-Site Scripting (XSS) vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters.

MediumVulnerabilityChinaIndiaUnited States+7#cve#cve-2026-30661

Amazon AWS aws-js-s3-explorer (aka AWS JavaScript S3 Explorer) 1.0.0 allows XSS via a crafted S3 bucket name to index.html.

MediumVulnerabilityUnited StatesGermanyUnited Kingdom+7#cve#cve-2024-28823

Hitron CODA-4582 2AHKM-CODA4589 7.2.4.5.1b8 devices allow a remote attacker within Wi-Fi proximity (who has access to the router admin panel) to conduct a DOM-based stored XSS attack that can fetch remote resources. The payload is executed at index.html#advanced_location (aka the Device Location page). This can cause a denial of service or lead to information disclosure.

MediumVulnerabilityUnited StatesCanadaUnited Kingdom+7#cve#cve-2024-28089

A DOM based cross-site scripting (XSS) vulnerability in the component index.html of jstrieb/urlpages before commit 035b647 allows attackers to execute arbitrary Javascript via sending a crafted URL.

MediumVulnerabilityUnited StatesGermanyUnited Kingdom+7#cve#cve-2024-26468

A cross-site scripting (XSS) vulnerability in the component /index/index.html of YZNCMS v1.4.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the configured remarks text field.

MediumVulnerabilityChinaIndiaUnited States+7#cve#cve-2024-42939

An issue the background management system of Shanxi Internet Chuangxiang Technology Co., Ltd v1.0.1 allows a remote attacker to cause a denial of service via the index.html component.

MediumVulnerabilityChinaIndiaRussia+6#cve#cve-2024-37681