CVE-2026-44542

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an...

EUVD-2026-30344

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the path parameter in the DELETE API endpoints. An attacker can delete arbitrary files outside the intended shared directory by supplying crafted path traversal sequences, resulting in unauthorized data loss and...

FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion

Summary Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete...

CVE-2026-21641

Revive Adserver CVE-2026-21641 is an authorization bypass in the tracker-delete.php script. Reported by HackerOne, the issue allows users with delete-tracker permissions to delete trackers owned by other accounts. Verified across multiple sources (NVD, RH, CIRCL, CVE List, EUVD, AttackeRKB, etc.)...

CVE-2026-21641

HackerOne community member Jad Ghamloush 0xjad has reported an authorization bypass vulnerability in the tracker-delete.php script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts...

CVE-2023-49783

Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a ModelAdmin can still edit or delete records using...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via inadequate enforcement of branch delete permissions after merging a pull request. An attacker can delete arbitrary branches. Remediation Upgrade code.gitea.io/gitea/routers/web/repo to version 1.22.5 or highe...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via inadequate enforcement of branch delete permissions after merging a pull request. An attacker can delete arbitrary branches. Remediation Upgrade github.com/go-gitea/gitea/routers/api/v1/repo to version 1.22.5...

EUVD-2025-200087

Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to validate user permissions when deleting comments in Boards, which allows an authenticated user with the editor role to delete comments created by other users...

PT-2025-48544

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.0.0 through 11.0.2 Mattermost versions 10.5.0 through 10.5.12 Mattermost versions 10.11.0 through 10.11.4 Mattermost versions 10.12.0 through 10.12.1 Description The software does not properly check user permissions when...

EUVD-2017-17397

Malware in sbrugna...

EUVD-2022-3257

Malicious code in bioql PyPI...

Improper Access Control

unopim/unopim is vulnerable to Improper Access Control. The vulnerability is due to insufficient privilege enforcement on the mass-delete endpoint, which allows an attacker without "Delete" permissions to bypass restrictions and delete products...

CVE-2025-5187

A vulnerability was found in the kube-apiserver's NodeRestriction admission controller, where node users can delete their corresponding node object by setting their own OwnerReference to a cluster-scoped resource. This flaw allows an attacker to delete and recreate its node object, leading to the...

PT-2024-30269 · Jenkins +1 · Jenkins +1

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.470 and earlier Jenkins LTS versions 2.452.3 and earlier Description: The issue arises from a lack of permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to access other users' "My Views"...

CVE-2023-49783 No permission checks for editing/deleting records with CSV import form

Silverstripe Admin provides a basic management interface for the Silverstripe Framework. In versions on the 1.x branch prior to 1.13.19 and on the 2.x branch prior to 2.1.8, users who don't have edit or delete permissions for records exposed in a ModelAdmin can still edit or delete records using...

CVE-2023-25817 Delete permissions are not saved when creating public share in Nextcloud server

Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the...

CVE-2021-44795 Modifying User Permissions via Unauthorized Access in Single Connect

Single Connect does not perform an authorization check when using the "sc-assigned-credential-ui" module. A remote attacker could exploit this vulnerability to modify users permissions. The exploitation of this vulnerability might allow a remote attacker to delete permissions from other users...

PT-2022-12236

Name of the Vulnerable Software and Affected Versions Single Connect affected versions not specified Description The issue arises from the lack of an authorization check in Single Connect when utilizing the sc-assigned-credential-ui module. This allows a remote attacker to potentially modify user...