Keycloak < 24.0.5 - Broken Access Control

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. id: CVE-2024-3656 info...

CVE-2026-44274

Dell Wyse Management Suite WMS, versions prior to WMS 2605, contain an Improper Link Resolution Before File Access vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access...

CVE-2026-44271

Dell Wyse Management Suite WMS, versions prior to WMS 2605, contain an Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access...

CVE-2026-8823

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to validate bot targets when demoting users to guests which allows a lower-privileged administrator to degrade arbitrary bot accounts via the standard demote-user API.. Mattermost Advisory ID: MMSA-2026-00669...

CVE-2026-8823

Mattermost versions affected are 11.7.x &lt;= 11.7.0 and 10.11.x

CVE-2026-56385

Craft CMS suffers an authorization bypass in the assets/preview-file endpoint. Versions affected: 5.0.0-RC1–5.9.13 and 4.0.0-RC1–4.17.7. An authenticated low-privileged user can supply an assetId for an asset they should not view and still receive preview data (previewHtml), including a private p...

CVE-2026-54219 Stored XSS in UBB.threads

UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing. Because vendor contact attempts were...

EUVD-2026-37882

UBB.threads is vulnerable to Stored XSS via user posts and user profile fields. The application fails to properly sanitize user input, allowing low privileged attackers to inject arbitrary JavaScript that executes in a victim's browser upon viewing. Because vendor contact attempts were...

CVE-2026-11719

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol...

CVE-2026-20265

In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin" or "power" Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a server that an attacker controls, which could allow for data exfiltration. The vulnerability exists...

CVE-2026-32652

Dell AIOps Collector versions prior to 1.18.3 contain a "Use of Default Credentials" vulnerability. A low privileged attacker with console access could potentially exploit this vulnerability to gain Filesystem access. This vulnerability only affects fresh installations of Collector versions earli...

CVE-2026-20265

Splunk AI Toolkit has a vulnerability in versions below 5.7.4 where a low-privilege user (not admin/power) can cause the toolkit to issue outbound HTTP requests to an attacker-controlled server due to an insecure default domain allowlist. This could enable data exfiltration. Root cause: outbound ...

CVE-2026-10850

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

CVE-2026-48776

A flaw was found in the LangGraph Python SDK. This vulnerability allows a remote attacker with low privileges to manipulate URL paths by providing unsanitized input. This could result in unintended access, modification, or deletion of resources, potentially compromising data confidentiality and...

CVE-2026-35067

Dell PowerFlex Manager, versions Versions, contains an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access...

CVE-2026-35162

Technical details about CVE-2026-35162 are not publicly available in the provided documents. Monitor for updates from Dell and security advisories.

CVE-2026-10850 Plane 1.3.1 - Stored XSS in intake issue description_html

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

EUVD-2026-37732

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

CVE-2026-10850

CVE-2026-10850 affects Plane CE 1.3.1. A low-privileged project member can submit arbitrary HTML/JS in the description_html field when creating an intake work item via the API v1 intake endpoint, enabling stored XSS. The description_html field is the vector; no exploit details or affected version...

CVE-2026-46959

Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite component: Internal Operations. Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledge...