CVE-2026-42610

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user EX: Content Editor with only pages.update permissions can bypass the existing Twig sandbox restrictions by utilizing the grav'accounts' service. Attacker can programmatically load administrative user objects and extra...

CVE-2026-42610

Grav CMS vulnerability CVE-2026-42610: A low-privilege user can bypass Twig sandbox via grav['accounts'] to load administrative user objects and extract sensitive data (e.g., bcrypt password hashes and the security salt). This information disclosure affects Grav before 2.0.0-beta.2. The issue is ...

Grav 安全漏洞

Grav is a scalable content management system CMS developed by the Grav open-source community, suitable for use in personal blogs, small content publishing platforms, and single-page product displays. Versions of Grav prior to 2.0.0-beta.2 contained security vulnerabilities. These vulnerabilities...

Incorrect Authorization

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Incorrect Authorization via the grav'accounts' service. An attacker can access sensitive user data, including password hashes and security...

Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...

GHSA-3F29-PQWF-V4J4 Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...

PT-2026-37276

Name of the Vulnerable Software and Affected Versions Grav versions prior to 2.0.0-beta.2 Description A low-privileged user, such as a Content Editor with pages.update permissions, can bypass Twig sandbox restrictions by utilizing the grav'accounts' service. This allows an attacker to...

Azure Linux 3.0 Security Update: accountsservice (CVE-2012-6655)

The version of accountsservice installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2012-6655 advisory. - An issue exists AccountService 0.6.37 in the userchangepasswordauthorizedcb function in user.c which...

USN-6687-1 accountsservice vulnerability

It was discovered that AccountsService called a helper incorrectly when performing password change operations. A local attacker could possibly use this issue to obtain encrypted passwords...

USN-6190-2 accountsservice vulnerability

USN-6190-1 fixed a vulnerability in AccountsService. This update provides the corresponding update for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Original advisory details: Kevin Backhouse discovered that AccountsService incorrectly handled certain D-Bus messages. A local attacker...

USN-6190-1 accountsservice vulnerability

Kevin Backhouse discovered that AccountsService incorrectly handled certain D-Bus messages. A local attacker could use this issue to cause AccountsService to crash, resulting in a denial of service, or possibly execute arbitrary code...

MAL-2023-329 Malicious code in fc-accounts-service (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b557b50f99f6f32efe3fd6bfa3bd3a29383430ab4a8beab13cf65d210eaf549d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in fc-accounts-service (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b557b50f99f6f32efe3fd6bfa3bd3a29383430ab4a8beab13cf65d210eaf549d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

SUSE CVE-2012-2737

The userchangeiconfileauthorizedcb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition...

SUSE CVE-2018-14036

Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in userchangeiconfileauthorizedcb in user.c...

The vulnerability of the AccountsService modification (debian/patches/0010-set-language.patch) in the Ubuntu operating system allows a hacker to increase their privileges.

The vulnerability of the AccountsService modification debian/patches/0010-set-language.patch in the Ubuntu operating system involves the release of previously unallocated memory. Exploiting this vulnerability can allow an attacker to increase their privileges...

CVE-2020-16126

An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, improperly dropped the ruid, allowing untrusted users to send signals to AccountService, thus stopping it from handling D-Bus messages in a timely fashion...

AZL-44049 CVE-2012-6655 affecting package accountsservice for versions less than 23.13.9-1

An issue exists AccountService 0.6.37 in the userchangepasswordauthorizedcb function in user.c which could let a local users obtain encrypted passwords...

UBUNTU-CVE-2018-14036

Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in userchangeiconfileauthorizedcb in user.c...

CVE-2012-2737

The userchangeiconfileauthorizedcb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition...