CVE-2026-56345

AVideo 29.0 contains an authorization bypass via the Meet plugin's uploadRecordedVideo.json.php endpoint. The vulnerability derives the target users_id from the uploaded filename without verification, allowing a crafted file (e.g., filename like 1-anything.mp4) to trigger passwordless User->lo...

CVE-2026-54105

The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a reque...

CVE-2026-7802

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

CVE-2026-7802

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

CVE-2026-37978

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

CVE-2026-37978 Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

EUVD-2026-30882

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

CVE-2026-37978

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

Brute Force

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Brute Force via the check process. An attacker can gain unauthorized administrative access by submitting arbitrary user-id and token values to the...

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary user identifier in the request body, causing the system to...

CVE-2025-57854 Osus-operator: privilege escalation via excessive /etc/passwd permissions

A container privilege escalation flaw was found in certain OpenShift Update Service OSUS images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, ev...

PT-2026-31310

A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected containe...

PT-2026-31311

Name of the Vulnerable Software and Affected Versions Web Terminal images affected versions not specified Description A container privilege escalation flaw exists due to the /etc/passwd file being created with group-writable permissions during the build process. An attacker with command execution...

CVE-2026-1566

The CVE affects LatePoint

EUVD-2026-9269

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to se...

PT-2026-22706

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to se...

Seeyon Zhiyuan OA Web Application System 安全漏洞

Seeyon Zhiyuan OA Web Application System is a comprehensive office automation platform from Seeyon. A security vulnerability exists in Seeyon Zhiyuan OA Web Application System 7.0 SP1 and prior versions, which stems from improper encoding and parsing of parameters in thirdpartyController.do, whic...

EUVD-2025-31743

Malicious code in bioql PyPI...

CVE-2024-37768

14Finger v1.1 was discovered to contain an arbitrary user deletion vulnerability via the component /api/admin/user?id...

MStore API < 3.9.2 - Authentication Bypass

The plugin does not properly verify the user provided when syncing their cart via its REST API, allowing unauthenticated users to login as an arbitrary user by providing their ID...