Lucene search
+L

54 matches found

CVE
CVE
added 2026/07/04 12:49 p.m.20 views

CVE-2025-13475

Technical details about CVE-2025-13475 are not publicly available in the provided documents. Monitor for updates.

7.3CVSS5.9AI score0.00158EPSS
Exploits0References1Affected Software1
RedHat Linux
RedHat Linux
added 2026/07/01 5:33 p.m.7 views

foreman: foreman: Cross-tenant private SSH key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.00253EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/07/01 5:32 p.m.6 views

foreman: foreman: Cross-tenant private SSH key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.00253EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/07/01 5:31 p.m.9 views

foreman: foreman: Cross-tenant private SSH key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.00253EPSS
Exploits0References4
NVD
NVD
added 2026/07/01 3:17 p.m.9 views

CVE-2026-5142

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS0.00253EPSS
Exploits0References6
CVE
CVE
added 2026/07/01 2:7 p.m.53 views

CVE-2026-5142

CVE-2026-5142 (Foreman) : A flaw allows authenticated users with the low-privilege permission view_keypairs to bypass taxonomy scoping and download private SSH keys from other organizations by querying key pair IDs. This results in cross-tenant data exposure in multi-tenant deployments. The initi...

6.5CVSS5.7AI score0.00253EPSS
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/01 2:7 p.m.5 views

CVE-2026-5142

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.00253EPSS
Exploits0References7
EUVD
EUVD
added 2026/07/01 2:7 p.m.9 views

EUVD-2026-41002

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.00253EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/07/01 2:7 p.m.9 views

CVE-2026-5142 Foreman: foreman: cross-tenant private ssh key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.00253EPSS
Exploits0References4
OSV
OSV
added 2026/07/01 2:7 p.m.4 views

CVE-2026-5142 Foreman: foreman: cross-tenant private ssh key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS6AI score0.00253EPSS
Exploits0References9
OSV
OSV
added 2026/06/30 10:8 p.m.4 views

CVE-2026-56230 Capgo - Broken Object Level Authorization via x-limited-key-id Header

Capgo before 12.128.2 contains a broken object level authorization vulnerability in middlewareKey that accepts the client-controlled x-limited-key-id header without validating ownership, allowing authenticated users to adopt cross-tenant limited keys. Attackers can supply another tenant's limited...

8.7CVSS6AI score0.00322EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/22 9:4 p.m.9 views

EUVD-2026-38373

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channelself endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary...

8.7CVSS5.9AI score0.00379EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/17 6:49 p.m.13 views

Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation

Summary A critical missing authorization flaw exists in Avo's association attach workflow. The UI and GET /resources/:resource/:id/:related/new path can check attach?, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating...

9.6CVSS5.4AI score
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50602

Name of the Vulnerable Software and Affected Versions Avo affected versions not specified Description A missing authorization flaw in the association attach workflow allows authenticated low-privileged users to bypass access controls. While the user interface and the 'GET...

9.6CVSS5.9AI score
Exploits0References9
CVE
CVE
added 2026/06/12 9:3 p.m.37 views

CVE-2026-47124

CVE-2026-47124 (Nezha Monitoring) : In versions 1.4.0 through before 2.0.9, any authenticated non-admin user can connect to the server-status WebSocket and receive telemetry for all servers, including those owned by other users. The WebSocket stream bypasses per-server HasPermission checks, retur...

6.5CVSS5.2AI score0.0027EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 9:19 p.m.39 views

CVE-2026-9831 ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS0.00172EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.24 views

PT-2026-44998

Name of the Vulnerable Software and Affected Versions ExtremeCloud IQ affected versions not specified Description A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path can intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued AP...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/28 4:51 p.m.34 views

CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, OpenReplay's Python API exposes several appapikey routes that trust a caller-provided projectKey after validating only that the API key itself is valid and that the target projectKey exists. The authorization flow does not verify...

7.7CVSS0.00231EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/28 4:50 p.m.32 views

CVE-2026-45297 Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...

5.3CVSS0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/05/19 9:28 a.m.22 views

CVE-2026-31388

CVE-2026-31388 affects Apache OFBiz in multi-tenant deployments and is due to Improper Access Control, enabling cross-tenant data exposure via the Program Export feature. Affected versions are before 24.09.06. The advisory recommends upgrading to OFBiz 24.09.06 or later to fix the issue. No explo...

5.3CVSS5.8AI score0.00416EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder