Lucene search
K

859 matches found

Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.20 views

PT-2026-44461

An issue in SourceBans Material Admin before v.1.1.6 3ecd95e allows attackers to manipulate arbitrary user data in the web app via a crafted XAJAX call...

5.9AI score0.00308EPSS
Exploits0References5
NVD
NVD
added 2026/05/27 7:16 a.m.18 views

CVE-2026-8787

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the firebaseauth function authenticating the request as the WordPress user whose email is supplied in the useremail POST parameter without...

8.8CVSS0.00283EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.15 views

PT-2026-43507

Name of the Vulnerable Software and Affected Versions Firebase Support & Chat Management plugin for WordPress versions prior to 3.1.2 Description An issue allows authenticated attackers with Subscriber-level access or higher to escalate privileges and achieve full account takeover. The firebase...

8.8CVSS5.8AI score0.00283EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/05/27 12:0 a.m.11 views

WordPress Meta Field Block – Display custom fields in the Block Editor without coding plugin <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Arbitrary User Meta Exposure vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Meta Field Block versions = 1.5.1...

6.5CVSS5.8AI score0.00243EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/05/21 8:35 p.m.12 views

GHSA-CHQV-VRJ7-QFFP NocoDB: Shared-base link access can invite arbitrary users as persistent base members

Summary Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the...

5.8CVSS5.9AI score0.00296EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/21 7:34 a.m.10 views

CVE-2026-44058

An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism...

7.2CVSS6AI score0.00532EPSS
Exploits0References2Affected Software1
AlpineLinux
AlpineLinux
added 2026/05/21 7:34 a.m.12 views

CVE-2026-44058

An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism...

7.2CVSS6AI score0.00532EPSS
Exploits0
ATTACKERKB
ATTACKERKB
added 2026/05/19 10:52 a.m.12 views

CVE-2026-37978

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

4.9CVSS5.9AI score0.00398EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/19 10:52 a.m.10 views

CVE-2026-37978 Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

4.9CVSS5.9AI score0.00398EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/19 10:52 a.m.14 views

EUVD-2026-30882

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

4.9CVSS5.9AI score0.00398EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/19 10:52 a.m.52 views

CVE-2026-37978 Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

4.9CVSS0.00398EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/19 10:47 a.m.50 views

CVE-2026-37978

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

4.9CVSS5.8AI score0.00398EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/19 9:19 a.m.8 views

CVE-2026-46721

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...

6.9CVSS5.9AI score0.00352EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/05/19 12:0 a.m.11 views

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has a security vulnerability, which stems from low-privilege administrators with the view-clients role being able to exploit the evaluate-scopes management API endpoint by passing arbitrary...

4.9CVSS5.9AI score0.00398EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/13 2:22 p.m.7 views

CVE-2026-31241

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

6.5CVSS6AI score0.00386EPSS
Exploits0References1
OSV
OSV
added 2026/05/12 6:30 p.m.8 views

GHSA-GQ6F-QWV9-RF4J mem0 server lacks authentication and authorization controls for its memory deletion API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

6.5CVSS6AI score0.00386EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/12 12:0 a.m.9 views

CVE-2026-31241

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

6AI score0.00386EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/06 8:42 p.m.13 views

Brute Force

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Brute Force via the check process. An attacker can gain unauthorized administrative access by submitting arbitrary user-id and token values to the...

9.3CVSS5.9AI score0.00339EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/02 1:26 p.m.32 views

CVE-2026-2554 WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfmdeletewcfmcustomer' due to missing validation on the 'customerid' user...

8.1CVSS0.00328EPSS
Exploits0References3
NVD
NVD
added 2026/04/28 2:16 p.m.8 views

CVE-2026-40551

mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects mpGabinet version 23.12.19...

8.4CVSS0.00132EPSS
Exploits0References2
Rows per page
Query Builder