4429 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization due to improper access control in the unaccess process. An attacker can cause disruption of all public shares routed through a global frontend by sending a DELETE request to the affected API endpoint with knowled...
zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records
Summary The unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the condition short-circuits to false and allows the deletion to proceed without any ownership...
Critical: Red Hat Security Advisory: General availability of the satellite/iop-host-inventory-frontend-rhel9 container image
A new satellite/iop-host-inventory-frontend-rhel9 container image is now generally available in the Red Hat container registry. Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running...
Critical: Red Hat Security Advisory: General availability of the satellite/iop-advisor-frontend-rhel9 container image
A new satellite/iop-advisor-frontend-rhel9 container image is now generally available in the Red Hat container registry. Red Hat Lightspeed in Satellite analyzes system health and configuration by applying predefined rules to a small set of local data, such as installed packages, running services...
Malicious code in agdebugger-frontend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be34269bebfc9203228b56604d750ac51bdf4f84cbf58141d3317fc45c8854ad The package agdebugger-frontend was found to contain malicious code...
MAL-2026-2724 Malicious code in agdebugger-frontend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be34269bebfc9203228b56604d750ac51bdf4f84cbf58141d3317fc45c8854ad The package agdebugger-frontend was found to contain malicious code...
PT-2026-33380
Name of the Vulnerable Software and Affected Versions zrok versions prior to 2.0.1 Description A logical error exists in the ownership guard of the unaccess handler within the controller/unaccess.go file. When a frontend record has the environment id variable set to NULL, which identifies...
WordPress WCFM Marketplace plugin <= 3.7.1 - SQL Injection vulnerability
SQL Injection vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin WCFM Marketplace versions = 3.7.1...
CVE-2026-3643 Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API
The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permissioncallback set to returntrue...
CVE-2026-3643
The Accessibly WordPress plugin (versions ≤ 3.0.3) is vulnerable to an unauthenticated Stored XSS via REST API endpoints /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config. These endpoints have permission_callback set to __return_true, so no auth checks occur. updateWidgetOptions()...
CVE-2026-39425
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue Opening Remarks field by wrapping malicious payloads in tags...
CVE-2026-4365 LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion
The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the deletequestionanswer function in all versions up to, and including, 4.3.2.8. The plugin exposes a wprest nonce in public frontend HTML lpData to unauthenticated visitors, and...
CVE-2026-27679
Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...
CVE-2026-27679
CVE-2026-27679 affects the SAP S/4HANA frontend OData Service (Manage Reference Structures). Missing authorization checks allow an attacker to update and delete child entities via exposed OData services, impacting integrity (I: High) with no confidentiality or availability impact stated. CVSS v3....
CVE-2026-27679 Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)
Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...
CVE-2026-27679 Missing Authorization check in SAP S/4HANA Frontend OData Service (Manage Reference Structures)
Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...
PT-2026-32559
Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...
CVE-2026-5724
The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests...
MAL-2026-2573 Malicious code in @aircall-ecosystem/integrations-msteams-frontend (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4343cd15bb1d3104166b2ddf4f549bc184fde49233b5cfba97f353f00a8c2a2e The package @aircall-ecosystem/integrations-msteams-frontend was found to contain malicious code. Source: ghsa-malware...