Lucene search
+L

311 matches found

Snyk
Snyk
added 2026/04/08 12:4 a.m.4 views

Incorrect Authorization

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization in the configuration for SSL certificate and key file paths due to incorrect option name checks. An attacker can gain unauthorized...

7.6CVSS5.9AI score0.00142EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/07 8:22 p.m.4 views

CVE-2026-39400

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS6AI score0.00171EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 8:22 p.m.4 views

CVE-2026-39400 Stored XSS via Job HTML/Table Output in Cronicle

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS5.9AI score0.00171EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/07 8:22 p.m.5 views

EUVD-2026-19923

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS6AI score0.00171EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:32 p.m.1 views

CVE-2026-39328

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, an...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 5:32 p.m.2 views

CVE-2026-39328 ChurchCRM has Stored XSS in Social Profile Fields

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, an...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/01 9:6 p.m.3 views

Missing Authorization

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization via the test.php endpoint and the retrieveSubscriptions process. An attacker can terminate active Stripe subscriptions belonging to other use...

7.1CVSS5.8AI score0.00281EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/26 11:37 p.m.1 views

CVE-2026-28786

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError whose message — including th...

4.3CVSS5.8AI score0.00427EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/26 6:55 a.m.2 views

CVE-2026-32680

The installer of RATOC RAID Monitoring Manager for Windows allows to customize the installation folder. If the installation folder is customized to some non-default one, the folder may be left with un-secure ACLs and non-administrative users can alter contents of that folder. It may allow a...

8.5CVSS6.1AI score0.00145EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2026/03/26 12:0 a.m.14 views

RATOC RAID Monitoring Manager for Windows 安全漏洞

RATOC RAID Monitoring Manager for Windows is a software developed by RATOC RAID in Japan, designed for monitoring and managing the RAID hard drive boxes it supports. RATOC RAID Monitoring Manager for Windows has a security vulnerability; this vulnerability stems from the installation program’s...

8.5CVSS7.5AI score0.00145EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/03/25 8:26 a.m.10 views

WordPress WP DSGVO Tools (GDPR) plugin <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users vulnerability

Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users vulnerability discovered by shark3y in WordPress Plugin WP DSGVO Tools GDPR versions = 3.1.38...

9.1CVSS5.8AI score0.00431EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/03/24 8:16 p.m.7 views

CVE-2026-33509

pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the setconfigvalue API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option...

8.8CVSS0.00529EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/19 8:27 p.m.25 views

CVE-2026-33304 OpenEMR has Authorization Bypass in Dated Reminders Log

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated non-admin user to view reminder messages belonging to other users, including associated patient...

6.5CVSS0.00312EPSS
Exploits1References2
OSV
OSV
added 2026/03/19 8:27 p.m.6 views

CVE-2026-33304 OpenEMR has Authorization Bypass in Dated Reminders Log

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated non-admin user to view reminder messages belonging to other users, including associated patient...

6.5CVSS6AI score0.00312EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/01 1:22 a.m.8 views

INSATutorat has an authorization bypass vulnerability in its /api/admin/* endpoints

Impact An authorization bypass vulnerability was discovered in the administration pages of the tutoring application. When a standard user logged in but without administrator privileges attempts to access a resource under /api/admin/, the system detects the error but does not block the request. As...

6AI score
Exploits0References3Affected Software1
CVE
CVE
added 2026/02/26 5:39 a.m.33 views

CVE-2026-23703

The CVE-2026-23703 entry concerns the FinalCode Client installer from Digital Arts Inc. A flaw in the installer's default permissions allows a non-administrative user to escalate to SYSTEM by exploiting local permission settings (LOCAL, PR:L, UI:N). The issue is confirmed by both the CVE record a...

8.5CVSS5.8AI score0.0012EPSS
Exploits0References2
NVD
NVD
added 2026/02/20 12:16 a.m.6 views

CVE-2026-26964

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...

2.7CVSS0.00274EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/02/20 12:0 a.m.11 views

WindMill 信息泄露漏洞

WindMill is a free open-source tool developed by Lukasavicus’ individual developer. It is used to control the execution of tasks in Python. Versions of WindMill prior to 1.634.6 contained a vulnerability known as “information leakage,” which occurred because the Slack OAuth client token was...

2.7CVSS5.9AI score0.00274EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/19 11:57 p.m.28 views

CVE-2026-26964 Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...

2.7CVSS0.00274EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/02/18 4:45 p.m.7 views

CVE-2026-20141 Improper Access Control in Splunk Monitoring Console App

In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the "admin" Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.The Monitoring...

4.3CVSS5.5AI score0.00187EPSS
Exploits0References1
Rows per page
Query Builder