578 matches found
CVE-2026-54329
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...
EUVD-2026-42982
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...
CVE-2026-54329 Snipe-IT: Cross-Tenant Accessory Injection in Snipe-IT API
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...
CVE-2026-54329
Summary: CVE-2026-54329 affects Snipe-IT before 8.6.2, where the Accessories API can mass-assign the company_id field, enabling a low-privilege user in one company (with FMCS enabled) to create accessory records under another company. Root cause: API create path mass-assigns request parameters di...
CVE-2026-43925 FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized promo code use
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...
CVE-2026-43925
FOSSBilling (open-source billing/client management) contains an unauthenticated mass assignment vulnerability in the client self-registration endpoint, prior to version 0.8.0. An attacker can assign themselves to an arbitrary client group during sign-up, potentially bypassing group-restricted pro...
CVE-2026-43925
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...
CVE-2026-43925 FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized promo code use
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...
GHSA-7JVP-HJ45-2F2M Scriban: Template Writes to Arbitrary CLR Properties via `TypedObjectAccessor` (Mass Assignment + `private` / `init` / `internal` Setter Bypass)
Description When a host pushes a CLR object into a Scriban TemplateContext via the standard, documented pattern — var so = new ScriptObject; so"user" = currentUser; // direct CLR reference context.PushGlobalso; — TypedObjectAccessor exposes every public-getter property for both reading and writin...
PT-2026-56030
Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description An unauthenticated mass assignment issue exists in the client self-registration endpoint. This allows a visitor to assign themselves to an arbitrary client group during the sign-up process. Since...
CVE-2026-50281
Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...
CVE-2026-50281 Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...
EUVD-2026-41409
Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...
CVE-2026-50281
Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...
CVE-2026-50281
Craft CMS vulnerability CVE-2026-50281 affects versions 5.7.0 through 5.9.20. A mass-assignment flaw in the bulk-duplicate element action allows an attacker who can duplicate their own entries to submit an arbitrary id via the newAttributes parameter. The duplication flow clones the source elemen...
CVE-2026-50160
Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extr...
CVE-2026-50160
Hoppscotch self-hosted deployments (Hoppscotch-backend
CVE-2026-50160 Mass Assignment via Onboarding Endpoint Allows Unauthenticated JWT_SECRET Overwrite
Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extr...
CVE-2026-54351
Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the interna...
CVE-2026-54351 Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the interna...