PT-2026-39656

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authoriz...

keycloak: Incorrect ownership checks in /uma-policy/

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService UMA Protection API. When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first...

CVE-2025-14778

A vulnerability in Keycloak’s UMA Protection API (UserManagedPermissionService) allows horizontal privilege escalation when updating or deleting a UMA policy tied to multiple resources. The authorization check currently validates ownership only against the first resource in the policy’s list, ena...

CVE-2025-55366

CVE-2025-55366 affects jshERP v3.5; improper access control in the UserController.java component (controller\UserController.java) allows attackers to arbitrarily reset user passwords and perform horizontal privilege escalation. Affected software/version is jshERP 3.5; underlying cause is access c...

CVE-2025-20114

A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system. This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker...

Acronis: Local Privilege Escalation via DLL Search-Order Hijacking with Cyber Protection Agent - tibxread.exe utility

Vulnerability description not provided...