2645 matches found
CVE-2026-50007
Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with useraccess on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users...
CVE-2026-48957
The CVE-2026-48957 entry concerns Joomla! Core – specifically the com_privacy webservice endpoints. The connected documents describe an improper access check that allows unauthorized users to access com_privacy datasets, indicating a flaw in access control at the webservice layer. The affected co...
CVE-2026-34048
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes...
CVE-2026-34037
Coolify prior to v4.0.0-beta.464 is affected by a broken object-level authorization in cloneTo() within ResourceOperations.php. The action authenticates the source resource but resolves destination resources with unscoped Eloquent lookups, enabling cross-tenant cloning where an authenticated user...
CVE-2026-34047 Coolify: WebSocket Endpoint Access Control Flaw Leading to Remote Code Execution
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal WebSocket bootstrap routes did not enforce the expected authorization middleware, allowing an authenticated user to access terminal functionality for resources...
CVE-2026-42331 FOSSBilling missing authorization in guest Invoice API endpoints
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the...
CVE-2026-59712 Leantime - Credential Disclosure via Unauthenticated JSON-RPC users.getUser Method
Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to...
CVE-2026-14778
A security vulnerability has been detected in SourceCodester Onlne Examination & Learning Management System 1.0. This affects an unknown part of the file /ajaxenroll.php of the component Enrollment Management. The manipulation of the argument studentid/scheduleid/action leads to improper...
CVE-2026-14716 nextlevelbuilder GoClaw WebSocket RPC router.go MethodRouter.Handle authorization
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.13.0-beta.2. Impacted is the function MethodRouter.Handle of the file internal/gateway/router.go of the component WebSocket RPC Handler. Such manipulation leads to incorrect authorization. The attack may be launched...
CVE-2026-14693
A flaw has been found in SourceCodester Multi-Vendor Online Grocery Management System 1.0. Affected by this vulnerability is the function cancelorder of the file classes/Master.php. Executing a manipulation can lead to improper authorization. The attack may be performed from remote. The exploit h...
CVE-2026-14690
A weakness has been identified in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This affects the function saveusers of the file classes/Users.php. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been made availabl...
CVE-2026-58422 Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts
Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts...
PT-2026-55655
Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Improper authorization occurs during the OAuth sign-in callback process, which allows accounts that were previously disabled by an administrator to be silently...
CVE-2026-58580
LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibli...
CVE-2026-59100
CVE-2026-59100 affects LobeChat up to version 2.2.9. It describes a broken object level authorization allowing authenticated attackers to access and modify other users’ chat-group agent data by supplying arbitrary group identifiers. Attackers can call getGroupAgents, updateAgentInGroup, and remov...
EUVD-2026-41154
Craft CMS: Unauthorized Deletion of Source Assets During File Replacement...
EUVD-2026-41416
Craft CMS is a content management system CMS. Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function...
CVE-2026-14340 An incorrect authorization vulnerability in GitHub Enterprise Server allows issue creation in unrelated public repositories
An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a user-to-server token scoped to a GitHub App installation to perform certain write operations on public repositories outside the token's intended scope. This was possible because the authorization...
CVE-2026-53902
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrar...
EUVD-2026-40951
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive...