CVE-2026-35063 Missing Authorization in OpenPLC_V3

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-33125 Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version...

CVE-2026-33125

Frigate (NVR for IP cameras) has a broken access control vulnerability: in versions ≤0.16.2, users with the viewer role can delete admin and other low-privileged accounts via the API, potentially causing denial of service and compromising data integrity. The issue is addressed in version 0.16.3. ...

CVE-2026-33125 Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version...

CVE-2026-33125 Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version...

Frigate 授权问题漏洞

Frigate is a complete native NVR developed by Blake Blackshear, designed specifically for home assistants with AI object detection capabilities. Versions of Frigate prior to 0.16.2 have a licensing issue vulnerability. This vulnerability stems from the ability of the viewer role user to delete...

Frigte has broken access control viewer user can delete admin and other users account

Summary Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity. Details Endpoint DELETE /api/users/admin is enable to anonymous user. PoC I deleted admin user on demo.frigate.video: Impact It this leads to denial of servi...

PT-2025-52705

Name of the Vulnerable Software and Affected Versions Screen SFT DAB 600/C version 1.9.3 Description Screen SFT DAB 600/C Firmware version 1.9.3 contains a session management issue that allows attackers to bypass authentication controls by exploiting IP address session binding. Attackers can reus...

CVE-2023-53741

Screen SFT DAB 1.9.3 contains a weak session management vulnerability that allows attackers to bypass authentication controls by reusing IP address-bound session identifiers. Attackers can exploit the vulnerable API by intercepting and reusing established sessions to remove user accounts without...

CVE-2025-63214

An issue was discovered in bridgetech VBC Server & Element Manager, firmware version 6.5.0-10 , 6.5.0-9, allowing unauthorized attackers to delete and create arbitrary accounts...

CVE-2025-63955

A Cross-Site Request Forgery CSRF vulnerability in the manage-students.php component of PHPGurukul Student Record System v3.2 allows an attacker to trick an authenticated administrator into submitting a forged request. This leads to the unauthorized deletion of user accounts, causing a Denial of...

CVE-2025-20190

A vulnerability in the lobby ambassador web interface of Cisco IOS XE Wireless Controller Software could allow an authenticated, remote attacker to remove arbitrary users that are defined on an affected device. This vulnerability is due to insufficient access control of actions executed by lobby...

CVE-2024-12386

The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. This is due to missing nonce validation on multiple functions. This makes it possible for unauthenticated attackers to delete arbitrary accounts via a forged request...

WordPress plugin WP Abstracts 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...

PT-2024-28867 · Unknown · Kashipara Online Exam System

Name of the Vulnerable Software and Affected Versions: Kashipara Online Exam System version 1.0 Description: A Broken Access Control issue was found in "admin/update.php" and "admin/dashboard.php", allowing remote unauthenticated attackers to view the administrator dashboard and delete valid user...

Broken Access Control

in2code/femanager is vulnerable to Broken Access Control. The vulnerability is due to the improper implementation of access control in the check edit user component. This issue can be exploited by an attacker as an authenticated user to either edit data of various frontend users or to delete...

CVE-2023-43148

SPA-Cart 1.9.0.3 has a Cross Site Request Forgery CSRF vulnerability that allows a remote attacker to delete all accounts...

SPA-Cart eCommerce CMS Cross-Site Request Forgery Vulnerability

SPA-Cart eCommerce CMS is a CMS system from SPA-Cart Inc. A security vulnerability exists in SPA-Cart eCommerce CMS version 1.9.0.3 that stems from the presence of a cross-site request forgery CSRF vulnerability. An attacker can exploit the vulnerability to delete all accounts...

CVE-2023-20113

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management...

CVE-2023-20113

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery CSRF attack on an affected system. This vulnerability is due to insufficient CSRF protections for the web-based management...