CVE-2026-40349 Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending isAdmin=true to PUT /settings/users/userId for their own user ID. The endpoint is intended to let a user ed...

PT-2026-33541

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending isAdmin=true to PUT /settings/users/userId for their own user ID. The endpoint is intended to let a user ed...

CVE-2026-27899

WireGuard Portal or wg-portal is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. Aft...

WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level

Privilege Escalation to Admin via User Self-Update in wg-portal Summary Any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. After logging out and back in, the session picks up...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management via the IsAdmin field in the user profile update process. An attacker can gain unauthorized administrative privileges by sending a crafted PUT request to their own user profile endpoint with IsAdmin set to...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management via the IsAdmin field in the user profile update process. An attacker can gain unauthorized administrative privileges by sending a crafted PUT request to their own user profile endpoint with IsAdmin set to...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management via the IsAdmin field in the user profile update process. An attacker can gain unauthorized administrative privileges by sending a crafted PUT request to their own user profile endpoint with IsAdmin set to...

CVE-2026-27899 WireGuard Portal Vulnerable to Privilege Escalation to Admin via User Self-Update

WireGuard Portal or wg-portal is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. Aft...

CVE-2026-27899

WireGuard Portal (wg-portal) prior to v2.1.3 allows any authenticated non-admin user to elevate to full admin by sending IsAdmin=true in a PUT to their own profile, with the admin flag not being preserved by the server’s protection logic. After logout and login, the session inherits admin privile...

WireGuard Portal v2 安全漏洞

WireGuard Portal v2 is a web-based configuration portal developed by h44z as an individual project. Versions of WireGuard Portal v2 prior to 2.1.3 contained security vulnerabilities. These vulnerabilities stemmed from the server’s inability to protect the IsAdmin field when parsing JSON request...

PT-2026-22074

Name of the Vulnerable Software and Affected Versions WireGuard Portal versions prior to 2.1.3 Description WireGuard Portal, a web-based configuration portal for WireGuard server management, contains a flaw that allows authenticated non-admin users to escalate their privileges to full administrat...