Lucene search
K

18 matches found

CVE
CVE
added 4 days ago19 views

CVE-2026-54329

Summary: CVE-2026-54329 affects Snipe-IT before 8.6.2, where the Accessories API can mass-assign the company_id field, enabling a low-privilege user in one company (with FMCS enabled) to create accessory records under another company. Root cause: API create path mass-assigns request parameters di...

8.5CVSS6.1AI score0.00389EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/07/06 11:16 a.m.8 views

CVE-2026-12686

An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user...

9.3CVSS0.00309EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 8:48 a.m.35 views

CVE-2026-12686 Incorrect authorisation in Adiss’s Biloop

An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user...

9.3CVSS0.00309EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/23 11:12 p.m.11 views

Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection

Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support FMCS is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by supplying a foreign companyi...

8.5CVSS5.8AI score0.00389EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51642

Name of the Vulnerable Software and Affected Versions Snipe-IT affected versions not specified Description An authorization bypass exists in the BulkAssetsController::update function. The system accepts the company id variable directly from user input without utilizing the standard company-scopin...

6.3CVSS5.9AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51636

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.2 Description A cross-tenant data injection issue exists in the Accessories API when Full Multiple Companies Support is enabled. A low-privileged authenticated user can create accessory records belonging to a...

8.5CVSS6.1AI score0.00389EPSS
Exploits0References12
CVE
CVE
added 2026/06/15 10:4 a.m.30 views

CVE-2026-34028

The CVE-2026-34028 entry concerns Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014). It exposes web-accessible file paths that lack authorization, allowing an unauthenticated attacker to directly download files via HTTP endpoints such as /Resources/CompanyId_[ID]/Audio/ and /Safe...

6.9CVSS5.3AI score0.00397EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.16 views

PT-2026-49199

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyId ID/Audio/ and...

6.9CVSS5.3AI score0.00397EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.4 views

CVE-2026-3506

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the...

5.3CVSS5.8AI score0.00273EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/21 6:30 a.m.5 views

EUVD-2026-13998

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the...

5.3CVSS5.8AI score0.00273EPSS
Exploits0References9
NVD
NVD
added 2026/03/21 4:17 a.m.9 views

CVE-2026-3506

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the...

5.3CVSS0.00273EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.5 views

CVE-2026-3506 WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the...

5.3CVSS5.8AI score0.00273EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/03/21 12:0 a.m.9 views

WordPress plugin WP-Chatbot for Messenger 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

5.3CVSS5.8AI score0.00273EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.9 views

PT-2026-26857

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the...

5.3CVSS5.8AI score0.00273EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/03/05 12:0 a.m.3 views

CVE-2025-70614

OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter...

6AI score0.00261EPSS
Exploits0References2
CNVD
CNVD
added 2018/01/26 12:0 a.m.2 views

LiveCRM SaaS Cloud SQL Injection Vulnerability in Joomla!

Joomla! is an open source content management system CMS developed by the Open Source Matters team in the U.S. The system provides RSS feeds, site search, etc. LiveCRM SaaS Cloud is an open source, cloud-based business management and customer relationship management component used in it. A SQL...

9.8CVSS8.2AI score0.1915EPSS
Exploits5References1
OSV
OSV
added 2018/01/24 10:29 a.m.5 views

CVE-2018-5985

SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for Joomla! via an r=site/login&companyid= request...

9.8CVSS5.8AI score0.1915EPSS
Exploits5References1
Metasploit
Metasploit
added 2011/12/28 9:41 p.m.43 views

CorpWatch Company ID Information Search

This module interfaces with the CorpWatch API to get publicly available info for a given CorpWatch ID of the company. If you don't know the CorpWatch ID, please use the corpwatchlookupname module first. This module requires Metasploit: https://metasploit.com/download Current source:...

6.9AI score
Exploits0
Rows per page
Query Builder