CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added yesterday•4 views

CVE-2026-56784 OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint

8.6CVSS6AI score

EUVD•added yesterday•6 views

EUVD-2026-38444

OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong ...

8.6CVSS6AI score

Cvelist•added yesterday•23 views

CVE-2026-56784 OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint

8.6CVSS

CVE•added yesterday•8 views

CVE-2026-56784

OpenRemote Manager before 1.24.2 contains an insecure direct object reference in removeAlarms(), enabling authenticated users to delete alarms across tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint does not validate that IDs belong to the caller’s realm, enabling cross-tenant...

8.6CVSS6AI score

RedhatCVE•added 2026/04/25 7:22 a.m.•4 views

CVE-2026-41166

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the...

7CVSS5.3AI score0.00285EPSS

Exploits1References1

NVD•added 2026/04/22 9:17 p.m.•5 views

CVE-2026-41166

7CVSS0.00285EPSS

NVD•added 2026/04/22 9:17 p.m.•7 views

CVE-2026-40882

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to...

7.6CVSS0.00249EPSS

Exploits1References1

CVE•added 2026/04/22 8:33 p.m.•11 views

CVE-2026-40882

OpenRemote’s Velbus asset import vulnerability (CVE-2026-40882) is an XXE in the import path prior to version 1.22.0. An authenticated user with import access can trigger XML external entity processing when posting Velbus project XML, potentially causing server-side file disclosure (target file

7.6CVSS5.7AI score0.00249EPSS

Exploits1References1Affected Software1

Vulnrichment•added 2026/04/22 8:33 p.m.•1 views

CVE-2026-40882 OpenRemote has XXE in Velbus Asset Import

7.6CVSS5.7AI score0.00249EPSS

Exploits1References1

ATTACKERKB•added 2026/04/22 8:33 p.m.•2 views

CVE-2026-40882

7.6CVSS5.7AI score0.00249EPSS

Exploits1References2Affected Software1

Cvelist•added 2026/04/22 8:31 p.m.•27 views

CVE-2026-41166 OpenRemote has Improper Access Control via updateUserRealmRoles function

7CVSS0.00285EPSS

EUVD•added 2026/04/22 8:31 p.m.•6 views

EUVD-2026-25096

ATTACKERKB•added 2026/04/22 8:31 p.m.•3 views

CVE-2026-41166

Exploits1References3Affected Software1

CVE•added 2026/04/22 8:31 p.m.•12 views

CVE-2026-41166

Summary of CVE-2026-41166 : OpenRemote prior to v1.22.1 allows a user with the OpenRemote Keycloak realm role write:admin in one realm to call the Manager API and update realm roles for users in a different realm, including the master realm. The underlying issue is that the handler uses the {real...

Exploits1References2Affected Software1

Vulnrichment•added 2026/04/22 8:31 p.m.•3 views

CVE-2026-41166 OpenRemote has Improper Access Control via updateUserRealmRoles function

Github Security Blog•added 2026/04/22 2:38 p.m.•5 views

OpenRemote has Improper Access Control via updateUserRealmRoles function

Summary A user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the identity provider but does not check that the caller may administer that realm...