CVE-2026-25497

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...

Craft CMS: GraphQL Asset Mutation Privilege Escalation

There is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not...

CVE-2026-25497 Craft has a GraphQL Asset Mutation Privilege Escalation

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...

CVE-2026-25497

CVE-2026-25497 : Privilege escalation in Craft CMS GraphQL API affecting versions 4.0.0-RC1 through before 4.17.0-beta.1 and 5.9.0-beta.1. An authenticated user with write access to one asset volume can escalate privileges and modify/transfer assets across volumes, including private or restricted...

PT-2026-7147

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...

Bulletproof Host Stark Industries Evades EU Sanctions

In May 2025, the European Union levied financial sanctions on the owners ofStark Industries Solutions Ltd. , a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But ne...

Use of transferFrom() rather than safeTransferFrom() for NFTs in will lead to the loss of NFTs

Lines of code 230, 342, 514, 536 Vulnerability details The EIP-721 standard says the following about transferFrom: /// @notice Transfer ownership of an NFT -- THE CALLER IS RESPONSIBLE /// TO CONFIRM THAT to IS CAPABLE OF RECEIVING NFTS OR ELSE /// THEY MAY BE PERMANENTLY LOST /// @dev Throws...

REDUNDANT ERC1155 OCEAN TOKEN BALANCE UPDATE OF THE OceanAdapter CONTRACT COULD LEAD TO DoS OF THE Ocean._computeOutputAmount TRANSACTION

Lines of code Vulnerability details Impact The Ocean.computeOutputAmount function is used to compute the output amount of an output token when the input token and input token amount is given. The Ocean.computeOutputAmount function mutates the ERC1155 token ledger amounts for the primitives and al...

The deposited amount is included in how rsEthAmountToMint is calculated and it should not. Second depositors get less rsETH shares than deserved.

Lines of code Vulnerability details Impact All deposits, starting with the second one, incur a loss in the received rsETH amount. Proof of Concept LRTDepositPool::depositAsset helps users to stake LST in exchange for rsETH shares. First the LST is transferedFrom user to depositPool and rsETH is...

Signed data may be usable cross-chain

Lines of code Vulnerability details Impact The function validatePreTransactionOverridable, which Validates a txn on guard before execution, for Brahma console accounts.takes one parameter "txParams" which is of type SafeTransactionParams Struct, if we look at that struct members : struct...

The tokenType is concatenated rather than tightly integrated. An attacker could manipulate just the type byte of the hash.

Lines of code Vulnerability details Impact The attacker can create an unintended type of order and asset transfer. Proof of Concept The tokenType is concatenated rather than tightly integrated. An attacker could manipulate just the type byte of the hash. The issue is that the tokenType is...

Attacker can steal vault funds through the deposit function.

Lines of code Vulnerability details Impact In the deposit function, a check is made to see if the amount of assets being deposited by the user is greater than the amount of assets the vault currently holds. The vault then transfers the difference between the assets being deposited and the vault’s...

addLiquidity() unable to work

Lines of code Vulnerability details Impact missing the first transfer of the asset to router, addLiquidity unable to work Proof of Concept UlyssesRouter.addLiquidityuse for mint LP The code is as follows: function addLiquidityuint256 amount, uint256 minOutput, uint256 poolId external returns...

Malicious member can steal funds from the DAO contract.

Lines of code Vulnerability details Impact The malicious member can steal assets from DAO protocol. Proof of Concept The protocol allows the member to have the voting power to create a proposal createProposal. Where the action struct in the parameter refers to be consumed by the DAO's execute...

Payment multiple functions do not check the caller

Lines of code Vulnerability details Impact Multiple functions in the Payment contract do not check the caller, for example, an attacker can directly call refundETH to transfer assets in the contract function refundETH external payable //@audit if addressthis.balance 0...

Missing input validation can lead to accidental burning of tokens

Lines of code Vulnerability details Impact Some token transfers do not check that the receiving address is not the zero address. This can lead to an unintended burning of tokens. Proof of Concept 1. Assume Alice uses a web3 frontend to interact with a DAI/USDT pool. 2. Alice wants to swap DAI for...

Possible reentrancy attack on deposit function

Lines of code Vulnerability details Impact In deposit function the shares was calculated before the asset.safeTransferFrom. One possible scenario is when the supply it's 0totalSupplyid == 0, the retrun of convertToShares it's assets, if the asset is an ERC777 a contract sender could call again th...

Assets can be transferred to zero address on operational mistake

Lines of code Vulnerability details It is possible to withdraw all the assets after Buyout before settleVault was run and newVault created as asset transfer functions do not check the address. Proof of Concept /// @notice Migrates an ERC-20 token to the new vault after a successful migration ///...

withdrawFees() function shoud require to address to not be zero

Lines of code Vulnerability details Impact withdrawFees don't check that to address is not zero and send fee to the address without any check that confirms admin has set the address. bentoBox don't accept transferring to zero address, otherwise this could be high risk Proof of Concept As you can...

Index mint and burn calls can be front run

Lines of code Vulnerability details Impact Both in the mint and burn cases all the user supplied / due to a user assets can be stolen by an attacker, who detects correspondingly asset transfer calls / Index token transfer call and front runs Index contract's mint / burn call with own address as a...