Lucene search
K

4429 matches found

Snyk
Snyk
added 2026/04/16 9:9 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.8AI score0.00286EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/16 9:9 p.m.9 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...

6CVSS5.7AI score0.00286EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/16 9:9 p.m.5 views

zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records

Summary The unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the condition short-circuits to false and allows the deletion to proceed without any ownership...

5.3CVSS5.8AI score0.00286EPSS
Exploits0References4Affected Software2
RedHat Linux
RedHat Linux
added 2026/04/16 3:10 p.m.9 views

Critical: Red Hat Security Advisory: General availability of the satellite/iop-host-inventory-frontend-rhel9 container image

A new satellite/iop-host-inventory-frontend-rhel9 container image is now generally available in the Red Hat container registry. Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running...

9CVSS5.8AI score0.02667EPSS
Exploits6References8
RedHat Linux
RedHat Linux
added 2026/04/16 3:10 p.m.7 views

Critical: Red Hat Security Advisory: General availability of the satellite/iop-advisor-frontend-rhel9 container image

A new satellite/iop-advisor-frontend-rhel9 container image is now generally available in the Red Hat container registry. Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services...

9CVSS6.9AI score0.01815EPSS
Exploits6References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/04/16 9:43 a.m.10 views

Malicious code in agdebugger-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be34269bebfc9203228b56604d750ac51bdf4f84cbf58141d3317fc45c8854ad The package agdebugger-frontend was found to contain malicious code...

5.7AI score
Exploits0
OSV
OSV
added 2026/04/16 9:43 a.m.8 views

MAL-2026-2724 Malicious code in agdebugger-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be34269bebfc9203228b56604d750ac51bdf4f84cbf58141d3317fc45c8854ad The package agdebugger-frontend was found to contain malicious code...

5.7AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.6 views

PT-2026-33380

Name of the Vulnerable Software and Affected Versions zrok versions prior to 2.0.1 Description A logical error exists in the ownership guard of the unaccess handler within the controller/unaccess.go file. When a frontend record has the environment id variable set to NULL, which identifies...

5.3CVSS5.9AI score0.00286EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/04/15 4:20 p.m.5 views

WordPress WCFM Marketplace plugin <= 3.7.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin WCFM Marketplace versions = 3.7.1...

7.6CVSS6AI score0.00271EPSS
Exploits0Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/15 8:28 a.m.3 views

CVE-2026-3643 Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permissioncallback set to returntrue...

7.2CVSS5.7AI score0.00411EPSS
Exploits0References9
CVE
CVE
added 2026/04/15 8:28 a.m.19 views

CVE-2026-3643

The Accessibly WordPress plugin (versions ≤ 3.0.3) is vulnerable to an unauthenticated Stored XSS via REST API endpoints /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config. These endpoints have permission_callback set to __return_true, so no auth checks occur. updateWidgetOptions()...

7.2CVSS5.7AI score0.00411EPSS
Exploits0References9
NVD
NVD
added 2026/04/14 2:16 a.m.8 views

CVE-2026-39425

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue Opening Remarks field by wrapping malicious payloads in tags...

5.4CVSS0.0018EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/14 1:24 a.m.1 views

CVE-2026-4365 LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the deletequestionanswer function in all versions up to, and including, 4.3.2.8. The plugin exposes a wprest nonce in public frontend HTML lpData to unauthenticated visitors, and...

9.1CVSS5.8AI score0.00867EPSS
Exploits0References4
NVD
NVD
added 2026/04/14 12:16 a.m.4 views

CVE-2026-27679

Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...

6.5CVSS0.00181EPSS
Exploits0References2
CVE
CVE
added 2026/04/14 12:7 a.m.13 views

CVE-2026-27679

CVE-2026-27679 affects the SAP S/4HANA frontend OData Service (Manage Reference Structures). Missing authorization checks allow an attacker to update and delete child entities via exposed OData services, impacting integrity (I: High) with no confidentiality or availability impact stated. CVSS v3....

6.5CVSS5.8AI score0.00181EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/14 12:7 a.m.3 views

CVE-2026-27679 Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)

Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/14 12:7 a.m.30 views

CVE-2026-27679 Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)

Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...

6.5CVSS0.00181EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.10 views

PT-2026-32559

Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...

6.5CVSS5.8AI score0.00181EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/13 7:24 p.m.2 views

CVE-2026-5724

The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests...

6.3CVSS5.8AI score0.0051EPSS
Exploits0References1
OSV
OSV
added 2026/04/13 3:25 p.m.4 views

MAL-2026-2573 Malicious code in @aircall-ecosystem/integrations-msteams-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4343cd15bb1d3104166b2ddf4f549bc184fde49233b5cfba97f353f00a8c2a2e The package @aircall-ecosystem/integrations-msteams-frontend was found to contain malicious code. Source: ghsa-malware...

5.7AI score
Exploits0References1
Rows per page
Query Builder