Lucene search
K

54 matches found

Circl
Circl
added 2026/07/06 10:35 p.m.7 views

CVE-2026-54641

creationtimestamp| type| source ---|---|--- 2026-07-06 22:35:18+00:00| published-proof-of-concept| https://github.com/openremote/openremote/security/advisories/GHSA-xqr9-4wvv-gvch...

5.9AI score
Exploits0References1
Circl
Circl
added 2026/07/06 10:35 p.m.9 views

CVE-2026-54640

creationtimestamp| type| source ---|---|--- 2026-07-06 22:35:16+00:00| published-proof-of-concept| https://github.com/openremote/openremote/security/advisories/GHSA-7v6w-c3f4-9wpq...

5.9AI score
Exploits0References1
Circl
Circl
added 2026/07/06 6:35 p.m.7 views

CVE-2026-49439

creationtimestamp| type| source ---|---|--- 2026-07-06 18:35:13+00:00| published-proof-of-concept| https://github.com/openremote/openremote/security/advisories/GHSA-xj53-j257-hxvg...

5.9AI score
Exploits0References1
Circl
Circl
added 2026/07/02 10:35 p.m.10 views

CVE-2026-57168

creationtimestamp| type| source ---|---|--- 2026-07-02 22:35:13+00:00| published-proof-of-concept| https://github.com/openremote/openremote/security/advisories/GHSA-h3m5-97jq-qjrf...

5.8AI score
Exploits0References1
NVD
NVD
added 2026/06/23 9:17 p.m.13 views

CVE-2026-56120

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it's a duplicate of CVE-2026-56784...

Exploits0
CVE
CVE
added 2026/06/23 8:54 p.m.19 views

CVE-2026-56120

Affected software: OpenRemote before 1.25.0.Vulnerability: insecure direct object reference (IDOR) in the bulk alarm deletion endpoint.Root cause: removeAlarms() in AlarmResourceImpl.java omits realm-scoping validation in the JPA query, enabling any user with alarm-write permissions to enumerate ...

6AI score
Exploits0
EUVD
EUVD
added 2026/06/23 8:54 p.m.8 views

EUVD-2026-38594

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority as it's a duplicate of CVE-2026-56784...

8.6CVSS5.7AI score0.00258EPSS
Exploits0
NVD
NVD
added 2026/06/23 1:16 p.m.12 views

CVE-2026-56784

OpenRemote before 1.25.0 contains an insecure direct object reference IDOR vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms method in AlarmResourceImpl.java...

8.6CVSS0.00258EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/23 12:13 p.m.4 views

CVE-2026-56784 OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint

OpenRemote before 1.25.0 contains an insecure direct object reference IDOR vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms method in AlarmResourceImpl.java...

8.6CVSS6AI score0.00258EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/23 12:13 p.m.12 views

EUVD-2026-38444

OpenRemote Manager before 1.24.2 contains an insecure direct object reference vulnerability in the removeAlarms method that allows authenticated users to delete alarms from other tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint fails to validate that targeted alarm IDs belong ...

8.6CVSS6AI score0.00258EPSS
Exploits0References2
CVE
CVE
added 2026/06/23 12:13 p.m.31 views

CVE-2026-56784

OpenRemote Manager before 1.24.2 contains an insecure direct object reference in removeAlarms(), enabling authenticated users to delete alarms across tenants by supplying arbitrary alarm IDs. The bulk deletion endpoint does not validate that IDs belong to the caller’s realm, enabling cross-tenant...

8.6CVSS6AI score0.00258EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 12:13 p.m.3 views

CVE-2026-56784 OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint

OpenRemote before 1.25.0 contains an insecure direct object reference IDOR vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms method in AlarmResourceImpl.java...

8.6CVSS6.1AI score0.00258EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/23 12:13 p.m.42 views

CVE-2026-56784 OpenRemote < 1.25.0 IDOR via Bulk Alarm Deletion Endpoint

OpenRemote before 1.25.0 contains an insecure direct object reference IDOR vulnerability in the bulk alarm deletion endpoint that allows authenticated users to permanently delete alarms belonging to other tenants by supplying arbitrary alarm IDs. The removeAlarms method in AlarmResourceImpl.java...

8.6CVSS0.00258EPSS
Exploits0References2
OSV
OSV
added 2026/06/19 9:43 p.m.11 views

GHSA-H3M5-97JQ-QJRF OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)

Summary OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct Object Reference IDOR in the bulk alarm deletion endpoint. An authenticated user in any realm can delete alarms belonging to other realms tenants by supplying arbitrary alarm IDs. The vulnerability exists because the bulk...

9.6CVSS6AI score0.00258EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/25 7:22 a.m.8 views

CVE-2026-41166

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the...

7CVSS5.3AI score0.00285EPSS
Exploits1References1
NVD
NVD
added 2026/04/22 9:17 p.m.9 views

CVE-2026-41166

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the...

7CVSS0.00285EPSS
Exploits1References2
NVD
NVD
added 2026/04/22 9:17 p.m.35 views

CVE-2026-40882

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to...

7.6CVSS0.00249EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/22 8:33 p.m.3 views

CVE-2026-40882 OpenRemote has XXE in Velbus Asset Import

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to...

7.6CVSS5.7AI score0.00249EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/22 8:33 p.m.3 views

CVE-2026-40882

OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to...

7.6CVSS5.7AI score0.00249EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/22 8:33 p.m.18 views

CVE-2026-40882

OpenRemote’s Velbus asset import vulnerability (CVE-2026-40882) is an XXE in the import path prior to version 1.22.0. An authenticated user with import access can trigger XML external entity processing when posting Velbus project XML, potentially causing server-side file disclosure (target file

7.6CVSS5.7AI score0.00249EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder