103 matches found
Information Disclosure
Keycloak is vulnerable to Information Disclosure. The vulnerability is due to insufficient enforcement of user profile permissions in the group members endpoint, allowing an administrator with delegated access to read group memberships and users to view user attributes that are explicitly...
CVE-2026-41128
Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...
CVE-2026-9088 Keycloak: keycloak: information disclosure due to user profile permission bypass
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...
Vulnerabilities are handled in GitLab through GitLab Inc.
GitLab Inc. has addressed several vulnerabilities in GitLab Community Edition CE and Enterprise Edition EE in various versions, particularly in releases from version 8.3 to 18.11.3. These vulnerabilities concern various components and functions within GitLab, including Jira integration, container...
PT-2026-38301
Name of the Vulnerable Software and Affected Versions Lemur versions prior to 1.9.0 Description When LDAP TLS is enabled via the LDAP USE TLS variable, the LDAP authentication module in the bind function unconditionally disables TLS certificate verification at the global ldap module level. This...
CVE-2026-41128
Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...
CVE-2026-41128
Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...
EUVD-2026-24567
Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...
Missing Authorization
Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the actionSavePermissions process. An attacker can remove all group memberships from arbitrary users by submitting an empty groups parameter, resulting in immediate...
GHSA-RHCG-3H8R-V6VP Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks
Description A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group membership...
CVE-2026-31834
Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...
CVE-2026-23721 OpenProject users with "View Members" permission in any project can view all Group memberships
OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, d...
CVE-2026-23721 OpenProject users with "View Members" permission in any project can view all Group memberships
OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, d...
CVE-2026-23721
OpenProject suffers a permission-check flaw: if a user has the View Members permission in any project, they could enumerate all groups and see which users are in each group. This affects OpenProject versions prior to 17.0.1 and 16.6.5. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No...
PT-2026-3474
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.0.1 OpenProject versions prior to 16.6.5 Description OpenProject is a web-based project management software. A permission check failure in earlier versions allowed users with the 'View Members' permission in an...
GitLab 11.7 < 18.3.5 / 18.4 < 18.4.3 / 18.5 < 18.5.1 (CVE-2025-11974)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Gitlab reports: Improper access control issue in runner API impacts GitLab EE Denial of service issue in event collection impacts GitLab CE/EE Denial of service issue in JSON validation impacts GitLab...
GitLab 11.0 < 18.3.5 / 18.4 < 18.4.3 / 18.5 < 18.5.1 (CVE-2025-11447)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Gitlab reports: Improper access control issue in runner API impacts GitLab EE Denial of service issue in event collection impacts GitLab CE/EE Denial of service issue in JSON validation impacts GitLab...
GitLab 18.4 < 18.4.3 / 18.5 < 18.5.1 (CVE-2025-6601)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Gitlab reports: Improper access control issue in runner API impacts GitLab EE Denial of service issue in event collection impacts GitLab CE/EE Denial of service issue in JSON validation impacts GitLab...
FreeBSD : Gitlab -- vulnerabilities (f741ea93-af61-11f0-98b5-2cf05da270f3)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the f741ea93-af61-11f0-98b5-2cf05da270f3 advisory. Gitlab reports: Improper access control issue in runner API impacts GitLab EE Denial of servic...
Gitlab -- vulnerabilities
Gitlab reports: Improper access control issue in runner API impacts GitLab EE Denial of service issue in event collection impacts GitLab CE/EE Denial of service issue in JSON validation impacts GitLab CE/EE Denial of service issue in upload impacts GitLab CE/EE Incorrect Authorization issue in...