305 matches found
Missing Authorization
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authorization via the test.php endpoint and the retrieveSubscriptions process. An attacker can terminate active Stripe subscriptions belonging to other use...
CVE-2026-28786
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an unsanitized filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError whose message — including th...
CVE-2026-32680
The installer of RATOC RAID Monitoring Manager for Windows allows to customize the installation folder. If the installation folder is customized to some non-default one, the folder may be left with un-secure ACLs and non-administrative users can alter contents of that folder. It may allow a...
RATOC RAID Monitoring Manager for Windows 安全漏洞
RATOC RAID Monitoring Manager for Windows is a software developed by RATOC RAID in Japan, designed for monitoring and managing the RAID hard drive boxes it supports. RATOC RAID Monitoring Manager for Windows has a security vulnerability; this vulnerability stems from the installation program’s...
WordPress WP DSGVO Tools (GDPR) plugin <= 3.1.38 - Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users vulnerability
Missing Authorization to Unauthenticated Account Destruction of Non-Admin Users vulnerability discovered by shark3y in WordPress Plugin WP DSGVO Tools GDPR versions = 3.1.38...
CVE-2026-33509
pyLoad is a free and open-source download manager written in Python. From version 0.4.0 to before version 0.5.0b3.dev97, the setconfigvalue API endpoint allows users with the non-admin SETTINGS permission to modify any configuration option without restriction. The reconnect.script config option...
CVE-2026-33304 OpenEMR has Authorization Bypass in Dated Reminders Log
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated non-admin user to view reminder messages belonging to other users, including associated patient...
CVE-2026-33304 OpenEMR has Authorization Bypass in Dated Reminders Log
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated non-admin user to view reminder messages belonging to other users, including associated patient...
INSATutorat has an authorization bypass vulnerability in its /api/admin/* endpoints
Impact An authorization bypass vulnerability was discovered in the administration pages of the tutoring application. When a standard user logged in but without administrator privileges attempts to access a resource under /api/admin/, the system detects the error but does not block the request. As...
CVE-2026-23703
The CVE-2026-23703 entry concerns the FinalCode Client installer from Digital Arts Inc. A flaw in the installer's default permissions allows a non-administrative user to escalate to SYSTEM by exploiting local permission settings (LOCAL, PR:L, UI:N). The issue is confirmed by both the CVE record a...
CVE-2026-26964
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...
WindMill 信息泄露漏洞
WindMill is a free open-source tool developed by Lukasavicus’ individual developer. It is used to control the execution of tasks in Python. Versions of WindMill prior to 1.634.6 contained a vulnerability known as “information leakage,” which occurred because the Slack OAuth client token was...
CVE-2026-26964 Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members
Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...
CVE-2026-20141 Improper Access Control in Splunk Monitoring Console App
In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the "admin" Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.The Monitoring...
Axis Camera Station Pro 安全漏洞
Axis Camera Station Pro is a video management software developed by the Swedish company Axis. There is a security vulnerability in Axis Camera Station Pro, which stems from insecure direct object references. This vulnerability may allow non-administrator users to modify or delete certain data...
Axis Camera Station Pro 安全漏洞
Axis Camera Station Pro is a video management software developed by the Swedish company Axis. There is a security vulnerability in Axis Camera Station Pro, which allows non-administrator users to execute privilege escalation attacks on the server...
EUVD-2026-3285
CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base...
CVE-2026-23875 CrawlChat's Discord Bot has a Knowledge Permission vulnerability
CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base...
CVE-2026-23875 CrawlChat's Discord Bot has a Knowledge Permission vulnerability
CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base...
CVE-2026-23875
CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base...