219601 matches found
CVE-2026-37981 Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...
CVE-2026-37981
Keycloak CVE-2026-37981 describes a broken access control in the Account Resources user lookup endpoint, where a remote authenticated user owning at least one UMA resource can enumerate and harvest PII for all realm users by sending crafted requests with arbitrary usernames or emails. The endpoin...
CVE-2026-37981
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By...
Insufficient Granularity of Access Control
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control via the user handler in the resource account service. An attacker...
CVE-2026-46721
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...
CVE-2026-31388
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...
CVE-2026-31388 Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...
CVE-2026-31388
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...
CVE-2026-31388
CVE-2026-31388 affects Apache OFBiz in multi-tenant deployments and is due to Improper Access Control, enabling cross-tenant data exposure via the Program Export feature. Affected versions are before 24.09.06. The advisory recommends upgrading to OFBiz 24.09.06 or later to fix the issue. No explo...
EUVD-2026-30867
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...
CVE-2026-31388 Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature
Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...
libvirt: Denial of service in XML parsing
A flaw was discovered in libvirt in the XML file processing. More specifically, the parsing of user provided XML files was performed before the ACL checks. A malicious user with limited permissions could exploit this flaw by submitting a specially crafted XML file, causing libvirt to allocate too...
CVE-2026-46721
Summary (CVE-2026-46721): The issue is in the TYPO3 extension “Frontend User Registration” (sf_register). The create/edit flows allow submitting arbitrary user properties and do not enforce frontend access control on user-group assignment, enabling an attacker to assign any frontend user group to...
EUVD-2026-30857
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...
CVE-2026-46721 Broken Access Control in extension "Frontend User Registration" (sf_register)
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...
CVE-2026-46721
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...
CVE-2026-46721 Broken Access Control in extension "Frontend User Registration" (sf_register)
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...
Exploit for Incorrect Authorization in Litellm
CVE-2026-35029 – LiteLLM /config/update privilege escalation...
CVE-2026-44408
Summary: CVE-2026-44408 affects the ZTE MU5250 due to improper permission control in the Web interface, enabling an unauthorized attacker to modify configuration via the web UI. The CVSS 3.1 vector is AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H with a base score of 6.3 (Medium) . Exploitation status is n...
CVE-2026-44408 Unauthorized access vulnerability in ZTE MU5250
There is an unauthorized access vulnerability in ZTE MU5250. Due to improper permission control of the Web interface, an unauthorized attacker can modify configuration through the interface...