2499 matches found
CVE-2026-13237
Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1...
CVE-2026-21044
Improper authorization in KnoxGuardManager prior to SMR Jul-2026 Release 1 allows local attackers to bypass the persistence configuration of the application...
CVE-2026-13151
CVE-2026-13151: GitLab EE contained an improper authorization control allowing an authenticated user to modify group-level settings beyond their permissions in versions 16.10–18.11.7, 19.0–19.0.3, and 19.1–19.1.1. The issue has been remediated; patches were released (18.11.7, 19.0.4, 19.1.2) and ...
CVE-2026-13151 Incorrect Authorization in GitLab
GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to modify group-level settings beyond their intended permissions due to improper...
CVE-2026-55873 SeaweedFS: Improper authorization in the S3Tables / Iceberg REST management API lets a low-privileged S3 user enumerate administrator-owned table buckets
SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated...
PT-2026-56516
Name of the Vulnerable Software and Affected Versions Astro version 6.4.7 Description Astro performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit. Subsequently, rewrite route matching performs an additional decodeURI operation, which can...
CVE-2026-34048 Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes...
CVE-2026-50282 Craft CMS: Unauthorized Deletion of Destination Folders During Forced Moves
Craft CMS is a content management system CMS. Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function...
CVE-2026-50282
Craft CMS is a content management system CMS. Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function...
CVE-2026-50282
Craft CMS contains an authorization issue in AssetsController::actionMoveFolder where calling with force=true to move a folder into a destination with a conflicting name can overwrite and delete the destination folder without destination delete permission. Affected versions are 5.0.0-RC1 and abov...
CVE-2026-50283 Craft CMS: Unauthorized Deletion of Source Assets During File Replacement
Craft CMS is a content management system CMS. Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId...
CVE-2026-50283
Craft CMS is a content management system CMS. Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId...
UBUNTU-CVE-2026-54475
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing...
CVE-2026-13591
DeepMyst Mysti 0.4.0 is affected by a vulnerability in the Contact Tracking module: the function _isTrackedConversation in ChannelBridge.ts can be manipulated via the _channelType argument, causing improper authorization. Access may be possible remotely, with attack complexity described as high a...
PT-2026-53194
Name of the Vulnerable Software and Affected Versions CherryHQ cherry-studio versions prior to 1.9.7 Description Improper authorization exists in the MCP OAuth Local Callback Server component within the src/main/services/mcp/oauth/callback.ts file. A remote attacker can manipulate the code argume...
GO-2026-5751 Argo has Missing Authorization in its Sync ConfigMap Provider in github.com/argoproj/argo-workflows
Argo has Missing Authorization in its Sync ConfigMap Provider in github.com/argoproj/argo-workflows...
SUSE-SU-2026:2579-1 Security update for docker-stable
This update for docker-stable fixes the following issues: - CVE-2026-33997: Fixed privilege validation bypass during plugin bsc1265907. - CVE-2026-34040: Fixed Authz zero length regression bsc1265929...
PT-2026-51211
Name of the Vulnerable Software and Affected Versions BerriAI litellm versions prior to 1.82.6 Description An authorization bypass exists in the Completions Interface. The issue occurs within the async pre call hook function located in the enterprise/enterprise hooks/banned keywords.py file. Remo...
CVE-2026-32967
The CVE-2026-32967 issue is an Incorrect Authorization vulnerability in Apache DolphinScheduler's /v2 experimental interface. Affected software: DolphinScheduler before version 3.4.2. Root cause: missing/incorrect permission checks on the /v2 endpoint. Impact: authorization bypass risk for the in...
USN-8405-2 cups regression
USN-8405-1 fixed vulnerabilities in CUPS. The update introduced a regression that cause CUPS to crash when parsing certain large printer PPD files. This update fixes the problem. Original advisory details: Ariel Silver discovered that CUPS incorrectly handled username comparisons during...