GHSA-7QJX-GP9H-65QJ Dex: Token-exchange endpoint is missing AllowedConnectors enforcement

Summary server/handlers.go::handleTokenExchange lines 1804-1893 does not call isConnectorAllowedclient.AllowedConnectors, connID before issuing tokens, while sibling handlers do. This is a per-client connector ACL gap on the token-exchange endpoint; the redirect-flow paths enforce the same field...

CVE-2026-46721

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...

PT-2026-40785

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An issue exists where any user with Editor permissions can delete any snapshot, regardless of whether they have the necessary read or write access to those...

GHSA-7RX3-28CR-V5WH Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry

Summary The prototype method blocklist in lib/handlebars/internal/proto-access.js blocks constructor, defineGetter, defineSetter, and lookupGetter, but omits the symmetric lookupSetter. This omission is only exploitable when the non-default runtime option allowProtoMethodsByDefault: true is...

CVE-2026-33918

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/getclaimfile.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL...

EUVD-2025-199819

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that...

PT-2025-48265

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions prior to 4.20.2.0 Apache CloudStack versions prior to 4.22.0.0 Description A flaw in access control checks within Apache CloudStack allowed authorized users to potentially access information beyond their intended...

PT-2024-5272 · Google +3 · Google Chrome +3

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 127.0.6533.72 Microsoft Edge affected versions not specified Description: The issue is related to inappropriate implementation in the Fullscreen component, allowing a remote attacker to spoof the contents of th...

CVE-2023-36631

Lack of access control in wfc.exe in Malwarebytes Binisoft Windows Firewall Control 6.9.2.0 allows local unprivileged users to bypass Windows Firewall restrictions via the user interface's rules tab. NOTE: the vendor's perspective is "this is intended behavior as the application can be locked usi...

PT-2023-25644 · Malwarebytes · Malwarebytes Binisoft Windows Firewall Control

Name of the Vulnerable Software and Affected Versions: Malwarebytes Binisoft Windows Firewall Control version 6.9.2.0 Description: The issue concerns a lack of access control in the wfc.exe component of Malwarebytes Binisoft Windows Firewall Control, allowing local unprivileged users to bypass...

The vulnerability of the microprogrammed software in Emerson WirelessHART Gateways of the 1420, 1410D, and 1410 series wireless hardware routers stems from the lack of access control checks. This allows attackers to circumvent security restrictions, gain unauthorized access to protected information, and alter settings.

The vulnerability of the microprogrammed software in Emerson WirelessHART Gateways models 1420, 1410D, and 1410 is related to the lack of access control checks during system backup restoration. Exploiting this vulnerability can allow an attacker to bypass security restrictions, gain unauthorized...