Lucene search
K

2645 matches found

CVE
CVE
added 38 minutes ago3 views

CVE-2026-50007

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with useraccess on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users...

7.2CVSS0.00018EPSS
Exploits0References5
CVE
CVE
added 4 hours ago6 views

CVE-2026-48957

The CVE-2026-48957 entry concerns Joomla! Core – specifically the com_privacy webservice endpoints. The connected documents describe an improper access check that allows unauthorized users to access com_privacy datasets, indicating a flaw in access control at the webservice layer. The affected co...

6.4CVSS6AI score
Exploits0References1
NVD
NVD
added 17 hours ago5 views

CVE-2026-34048

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes...

9.9CVSS
Exploits0References3
CVE
CVE
added 18 hours ago10 views

CVE-2026-34037

Coolify prior to v4.0.0-beta.464 is affected by a broken object-level authorization in cloneTo() within ResourceOperations.php. The action authenticates the source resource but resolves destination resources with unscoped Eloquent lookups, enabling cross-tenant cloning where an authenticated user...

9.9CVSS5.9AI score
Exploits0References3
Cvelist
Cvelist
added 18 hours ago9 views

CVE-2026-34047 Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources...

9.9CVSS
Exploits0References4
Cvelist
Cvelist
added yesterday30 views

CVE-2026-42331 FOSSBilling missing authorization in guest Invoice API endpoints

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the...

7.7CVSS
Exploits0References1
Cvelist
Cvelist
added yesterday31 views

CVE-2026-59712 Leantime - Credential Disclosure via Unauthenticated JSON-RPC users.getUser Method

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...

8.6CVSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2 days ago4 views

CVE-2026-14778

A security vulnerability has been detected in SourceCodester Onlne Examination & Learning Management System 1.0. This affects an unknown part of the file /ajaxenroll.php of the component Enrollment Management. The manipulation of the argument studentid/scheduleid/action leads to improper...

7.5CVSS6.6AI score0.00294EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2 days ago37 views

CVE-2026-14716 nextlevelbuilder GoClaw WebSocket RPC router.go MethodRouter.Handle authorization

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.13.0-beta.2. Impacted is the function MethodRouter.Handle of the file internal/gateway/router.go of the component WebSocket RPC Handler. Such manipulation leads to incorrect authorization. The attack may be launched...

6.5CVSS0.00228EPSS
Exploits0References6
NVD
NVD
added 2 days ago9 views

CVE-2026-14693

A flaw has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. Affected by this vulnerability is the function cancelorder of the file classes/Master.php. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit h...

5.5CVSS0.0023EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2 days ago6 views

CVE-2026-14690

A weakness has been identified in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function saveusers of the file classes/Users.php. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made availabl...

7.5CVSS6.8AI score0.00288EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-58422 Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts

Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts...

0.00162EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-55655

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Improper authorization occurs during the OAuth sign-in callback process, which allows accounts that were previously disabled by an administrator to be silently...

5.9AI score0.00162EPSS
Exploits0References7
NVD
NVD
added 5 days ago5 views

CVE-2026-58580

LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibli...

6CVSS0.00154EPSS
Exploits0References2
CVE
CVE
added 5 days ago11 views

CVE-2026-59100

CVE-2026-59100 affects LobeChat up to version 2.2.9. It describes a broken object level authorization allowing authenticated attackers to access and modify other users’ chat-group agent data by supplying arbitrary group identifiers. Attackers can call getGroupAgents, updateAgentInGroup, and remov...

5CVSS5.9AI score0.0018EPSS
Exploits0References4
EUVD
EUVD
added 5 days ago8 views

EUVD-2026-41154

Craft CMS: Unauthorized Deletion of Source Assets During File Replacement...

5.3CVSS5.8AI score0.00265EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-41416

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function...

7.1CVSS5.7AI score0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-14340 An incorrect authorization vulnerability in GitHub Enterprise Server allows issue creation in unrelated public repositories

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization...

5.3CVSS0.00284EPSS
Exploits0References6
NVD
NVD
added 6 days ago9 views

CVE-2026-53902

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrar...

7.1CVSS0.00247EPSS
Exploits0References2
EUVD
EUVD
added 6 days ago8 views

EUVD-2026-40951

MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
Rows per page
Query Builder