Lucene search
+L

1592 matches found

OSV
OSV
added 2026/06/08 11:7 p.m.8 views

GHSA-8GHR-W65F-J3QR FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions

Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators. Details The Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications. As a...

6.3CVSS5.7AI score0.00048EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/08 11:7 p.m.14 views

FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions

Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators. Details The Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications. As a...

5.7AI score0.00048EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.18 views

PT-2026-47618

Name of the Vulnerable Software and Affected Versions FUXA versions prior to 1.3.2 Description An authorization issue in the Scheduler API allows authenticated non-admin users to create or modify scheduled actions that are restricted to administrators. The API fails to correctly enforce...

6.3CVSS5.6AI score0.00048EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.10 views

OpenMetadata 安全漏洞

OpenMetadata is an open-source platform for discovery, observability, and governance, supported by a central metadata storage repository, deep lineage, and seamless team collaboration. Prior to OpenMetadata 1.12.4, there were security vulnerabilities. These vulnerabilities stemmed from a workflow...

8.3CVSS5.3AI score0.00241EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.10 views

CVE-2026-6495

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

7.1CVSS5.4AI score0.00184EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:26 p.m.15 views

CVE-2026-40105

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 10.4-rc-1, through 16.10.15, 17.0.0-rc-1, through 17.4.7 and 17.5.0-rc-1 through 17.10.0 contain a reflected cross-site scripting vulnerability XSS in the comparison view between...

6.5CVSS5.3AI score0.00549EPSS
Exploits0References1
OSV
OSV
added 2026/06/05 1:57 p.m.8 views

SUSE-SU-2026:22047-1 Security update for NetworkManager

This update for NetworkManager fixes the following issues: Security fixes: - CVE-2025-9615: Fixed non-admin user using others' certificates bsc1257359. Other fixes: - Accept localhost hostnames if static bsc1257366...

3.3CVSS5.2AI score0.00162EPSS
Exploits0References4
CVE
CVE
added 2026/06/04 12:51 p.m.22 views

CVE-2026-10854

CVE-2026-10854 affects MISP: a visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based acce...

5.3CVSS5.8AI score0.00176EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/02 2:8 p.m.13 views

EUVD-2026-33937

Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations...

5.4CVSS5.8AI score0.00138EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/01 10:13 p.m.13 views

CVE-2026-45279

A flaw was found in Nextcloud Server. This vulnerability allows non-admin users to perform a path traversal when the lang variable is used in the template directory configuration. An attacker can exploit this to copy arbitrary files, subject to existing Unix permissions, into their own Nextcloud...

6.5CVSS5.8AI score0.00392EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/01 4:52 p.m.13 views

CVE-2026-45279

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if lang is used in the template directory config value, non-admin users can in some cases copy arbitrary files depending on unix permissions into...

4.4CVSS5.9AI score0.00392EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/01 4:52 p.m.12 views

CVE-2026-45279 Nextcloud: Limited path traversal via template API if using `{lang}` in config

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if lang is used in the template directory config value, non-admin users can in some cases copy arbitrary files depending on unix permissions into...

4.4CVSS5.9AI score0.00392EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/01 4:52 p.m.20 views

EUVD-2026-33705

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if lang is used in the template directory config value, non-admin users can in some cases copy arbitrary files depending on unix permissions into...

4.4CVSS5.9AI score0.00392EPSS
Exploits0References3
OSV
OSV
added 2026/06/01 7:20 a.m.3 views

CVE-2026-49157 Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default

Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin low-privilege web-login accounts access to Jolokia operations which allowed executing broker...

8.8CVSS5.9AI score0.00424EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/05/29 8:13 p.m.13 views

CVE-2026-33590

Insecure default settings of Portainer CE grant regular non-admin users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with endpoint access can exploit these settings to read host files or obtain root equivalent access on the...

9.4CVSS5.9AI score0.00452EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 7:47 p.m.18 views

EUVD-2026-33437

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note private thread from any conversation, even after that user's access to the mailbox containing the conversation has been...

4.3CVSS5.7AI score0.00155EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 4:15 p.m.11 views

CVE-2026-45630

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation...

9CVSS6.1AI score0.00763EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/05/29 4:15 p.m.31 views

CVE-2026-45630

Dokploy contains an authenticated OS command injection in the updateTraefikConfig tRPC endpoint for versions up to 0.28.8 (and earlier). The root cause is unsanitized echo shell interpolation, enabling admin/owner users to run arbitrary commands on remote servers. Impact is high (full command exe...

9CVSS6.1AI score0.00763EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.18 views

PHP-SHOP 跨站请求伪造漏洞

PHP-SHOP is an online shopping system developed by joeyrush, based on PHP. Version 1.0 of PHP-SHOP has a cross-site request forgeing vulnerability. This vulnerability stems from the lack of verification of the request source, which may allow unauthenticated attackers to add administrative users...

6.9CVSS5.7AI score0.00162EPSS
Exploits0References3
NVD
NVD
added 2026/05/28 11:16 p.m.16 views

CVE-2026-6816

An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2...

5.1CVSS0.00321EPSS
Exploits1References3
Rows per page
Query Builder