Lucene search
+L

73502 matches found

Vulnrichment
Vulnrichment
added 2 days ago9 views

CVE-2026-63099 TheHive 4.1.24 Broken Object Level Authorization via Attachment Download Endpoints

TheHive through 4.1.24 contains a broken object-level authorization vulnerability in the attachment download endpoints that allows any authenticated user to access attachments belonging to other organizations by supplying a content-hash identifier. Attackers can exploit the missing...

7.1CVSS5.5AI score0.00209EPSS
Exploits0References2
OSV
OSV
added 2 days ago3 views

CVE-2026-63099 TheHive 4.1.24 Broken Object Level Authorization via Attachment Download Endpoints

TheHive through 4.1.24 contains a broken object-level authorization vulnerability in the attachment download endpoints that allows any authenticated user to access attachments belonging to other organizations by supplying a content-hash identifier. Attackers can exploit the missing...

7.1CVSS5.5AI score0.00209EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-63095 Dendrite 0.13.8 Improper Authorization via POST account/3pid/delete Endpoint

Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint witho...

7.1CVSS0.00182EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-45192

Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint witho...

7.1CVSS5.5AI score0.00182EPSS
Exploits0References2
CVE
CVE
added 2 days ago12 views

CVE-2026-63095

CVE-2026-63095 affects Dendrite up to version 0.13.8. An improper authorization flaw in the Matrix Client-Server API allows any authenticated local user to delete another user’s third-party identifier (3PID) bindings by submitting an arbitrary address/medium to the account deletion endpoint witho...

7.1CVSS5.5AI score0.00182EPSS
Exploits0References2
OSV
OSV
added 2 days ago3 views

CVE-2026-63095 Dendrite 0.13.8 Improper Authorization via POST account/3pid/delete Endpoint

Dendrite through 0.13.8 contains an improper authorization vulnerability in the Matrix Client-Server API that allows any authenticated local user to delete third-party identifier bindings belonging to other users by submitting an arbitrary address and medium to the account deletion endpoint witho...

7.1CVSS5.5AI score0.00182EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-45191

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs,...

5.3CVSS5.5AI score0.00273EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2 days ago6 views

CVE-2026-15783 Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed reading private repository metadata via delegated bypass rule suites

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs,...

5.3CVSS5.4AI score0.00273EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-15783 Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed reading private repository metadata via delegated bypass rule suites

A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with write access to any repository to read metadata from private repositories they did not have access to, including private repository owners and names, branch names, commit SHAs,...

5.3CVSS0.00273EPSS
Exploits0References5
NVD
NVD
added 2 days ago8 views

CVE-2026-16089

A flaw was found in the keycloak-services component of Red Hat Build of Keycloak. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them. An attacker who can intercept an authorization code can modify it to be redeemed by their o...

5.4CVSS0.00154EPSS
Exploits0References2
NVD
NVD
added 2 days ago9 views

CVE-2026-16017

A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. Impacted is the function list/remove of the file tools/toolcron.go of the component cron Chat Tool. The manipulation results in missing authorization. The attack may be performed from remote. The exploit has been released to the...

6.5CVSS0.00209EPSS
Exploits0References6
Cvelist
Cvelist
added 2 days ago38 views

CVE-2026-12715 Missing Authorization in Firebase Studio allows Cross-Tenant Source Code Theft

Missing Authorization in Google Cloud Firebase Studio versions prior to 2026-04-15 on Google Cloud Platform allows an attacker to download other users' deployed source code and access sensitive data via unauthorized GCS URL signing requests. This vulnerability was patched on 15 April 2026, and no...

8.5CVSS0.00207EPSS
Exploits0References1
CVE
CVE
added 2 days ago13 views

CVE-2026-12715

CVE-2026-12715 describes a missing authorization flaw in Google Cloud Firebase Studio for versions prior to 2026-04-15, enabling an attacker to download other users’ deployed source code and access sensitive data via unauthorized Google Cloud Storage URL signing requests. The issue has a high imp...

8.5CVSS5.5AI score0.00207EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2 days ago9 views

CVE-2026-12715 Missing Authorization in Firebase Studio allows Cross-Tenant Source Code Theft

Missing Authorization in Google Cloud Firebase Studio versions prior to 2026-04-15 on Google Cloud Platform allows an attacker to download other users' deployed source code and access sensitive data via unauthorized GCS URL signing requests. This vulnerability was patched on 15 April 2026, and no...

8.5CVSS5.5AI score0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-14871 osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization BOLA leading to Insecure Direct Object Reference IDOR in the AJAX ticket-management subsystem...

7.1CVSS0.00312EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2 days ago5 views

CVE-2026-14871 osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization BOLA leading to Insecure Direct Object Reference IDOR in the AJAX ticket-management subsystem...

7.1CVSS5.3AI score0.00312EPSS
Exploits0References5
CVE
CVE
added 2 days ago13 views

CVE-2026-14871

This CVE affects osTicket versions 1.18.3 and 1.17.7, where a Broken Object Level Authorization (BOLA) leads to an Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem. The issue enables cross-department data disclosure due to improper access controls on object referenc...

7.1CVSS5.3AI score0.00312EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-45176

A flaw was found in the keycloak-services component of Red Hat Build of Keycloak. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them. An attacker who can intercept an authorization code can modify it to be redeemed by their o...

5.4CVSS5.4AI score0.00154EPSS
Exploits0References2
CVE
CVE
added 2 days ago11 views

CVE-2026-16089

The CVE-2026-16089 entry describes a vulnerability in Red Hat Build of Keycloak’s keycloak-services, where OAuth 2.0 authorization codes are not properly bound to the client that requested them. If an attacker can intercept an authorization code, they can modify it to be redeemed by their own cli...

5.4CVSS5.4AI score0.00154EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-16089 Keycloak-services: keycloak-services: authorization codes can be retargeted to another client session

A flaw was found in the keycloak-services component of Red Hat Build of Keycloak. The issue occurs because OAuth 2.0 authorization codes are not properly bound to the client that originally requested them. An attacker who can intercept an authorization code can modify it to be redeemed by their o...

5.4CVSS0.00154EPSS
Exploits0References2
Rows per page
Query Builder