Lucene search
+L

311 matches found

cvelist
cvelist
added 2026/05/22 3:29 p.m.18 views

CVE-2026-9251

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : Devolutions Serv...

0.00142EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/05/22 12:0 a.m.20 views

PT-2026-42796

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : Devolutions Serv...

5.8AI score0.00142EPSS
Exploits0References1
euvd
euvd
added 2026/05/20 5:28 a.m.10 views

EUVD-2026-31066

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed...

5.3CVSS5.8AI score0.00249EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/05/20 5:28 a.m.7 views

CVE-2026-44392

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed...

5.3CVSS5.8AI score0.00249EPSS
Exploits0References4Affected Software4
ptsecurity
ptsecurity
added 2026/05/20 12:0 a.m.15 views

PT-2026-42108

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed...

5.3CVSS5.8AI score0.00249EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/05/19 1:56 p.m.15 views

CVE-2026-44558

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filterallowedaccessgrants on either create or update paths. A non-admin user who can create group channels or who owns a channel can submit arbitrary...

5.4CVSS5.9AI score0.0019EPSS
Exploits1References1
cve
cve
added 2026/05/18 8:9 a.m.22 views

CVE-2026-3117

Mattermost plugins contain a permission-check flaw in the GitLab plugin command processing. Versions affected: Mattermost Plugins

6.5CVSS5.8AI score0.00228EPSS
Exploits0References1Affected Software1
vulnrichment
vulnrichment
added 2026/05/15 9:9 p.m.8 views

CVE-2026-45351 Open WebUI: Exposure of System Prompt to Regular User [Non-Admin]

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of...

6.5CVSS5.8AI score0.00281EPSS
Exploits1References1
nvd
nvd
added 2026/05/15 8:16 p.m.19 views

CVE-2026-44558

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filterallowedaccessgrants on either create or update paths. A non-admin user who can create group channels or who owns a channel can submit arbitrary...

5.4CVSS0.0019EPSS
Exploits1References1
cvelist
cvelist
added 2026/05/15 7:43 p.m.47 views

CVE-2026-44558 Open WebUI: Channel Access Grants Bypass filter_allowed_access_grants

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the channel router does not call filterallowedaccessgrants on either create or update paths. A non-admin user who can create group channels or who owns a channel can submit arbitrary...

5.4CVSS0.0019EPSS
Exploits1References1
cvelist
cvelist
added 2026/05/14 6:46 p.m.40 views

CVE-2026-8621 Crabbox < v0.12.0 Authentication Bypass via Header Spoofing

Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a...

8.8CVSS0.00361EPSS
Exploits0References4
snyk
snyk
added 2026/05/14 4:33 p.m.15 views

Missing Authorization

Overview github.com/portainer/portainer/api/http/proxy/factory/docker is a management UI which allows to manage different Docker environments. Affected versions of this package are vulnerable to Missing Authorization in the enforcement of endpoint security restrictions for non-admin users on Dock...

9.9CVSS5.7AI score0.00347EPSS
Exploits1References2
osv
osv
added 2026/05/14 4:33 p.m.26 views

GHSA-5FXQ-QCF3-244W Portainer has an endpoint security bypass via Swarm service create/update

Summary Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt Seccomp / AppArmor, and bind mounts. T...

9.4CVSS5.8AI score0.00347EPSS
Exploits1References6
github
github
added 2026/05/14 4:33 p.m.13 views

Portainer has an endpoint security bypass via Swarm service create/update

Summary Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt Seccomp / AppArmor, and bind mounts. T...

9.4CVSS5.8AI score0.00347EPSS
Exploits1References6Affected Software1
osv
osv
added 2026/05/12 8:0 a.m.5 views

SUSE-SU-2026:1821-1 Security update for NetworkManager

This update for NetworkManager fixes the following issue: - CVE-2025-9615: Fixed non-admin user using others' certificates bsc1257359...

3.3CVSS5.8AI score0.00162EPSS
Exploits0References3
pypa
pypa
added 2026/05/11 6:16 p.m.31 views

PYSEC-2026-126

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References1Affected Software1
vulnrichment
vulnrichment
added 2026/05/11 4:32 p.m.7 views

CVE-2026-42312 pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general",...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2026/05/11 12:0 a.m.23 views

PT-2026-39672

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.19 Description Inconsistent authorization controls in the memories API allow a standard non-admin user to view, delete, and restore memories belonging to other users. A user can view existing memories using the...

8.3CVSS5.8AI score0.00294EPSS
Exploits1References12
euvd
euvd
added 2026/05/07 2:59 a.m.12 views

EUVD-2026-28272

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A...

7.1CVSS5.7AI score0.00297EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/05/07 2:59 a.m.11 views

CVE-2026-41660

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A...

7.1CVSS5.7AI score0.00297EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder