Lucene search
K

1170 matches found

euvd
euvd
added 2026/07/01 12:34 a.m.8 views

EUVD-2026-40436

Capgo before 12.128.2 contains an information disclosure vulnerability in the /private/validatepasswordcompliance endpoint that returns different error responses for malformed, non-existent, and existing organization IDs. Unauthenticated attackers can enumerate valid organization UUIDs by observi...

6.9CVSS5.8AI score0.00261EPSS
Exploits0References3
securelist
securelist
added 2026/06/29 10:0 a.m.12 views

The Gentlemen are knocking: сustom backdoors and evolving tactics

Introduction This year saw the emergence of The Gentlemen, a prominent example of a group operating under the ransomware-as-a-service RaaS model. Although our initial assessment suggested the group first appeared in mid-2025, it actually started ramping up its activities at the beginning of 2026...

6AI score
Exploits0
cgr
cgr
added 2026/06/26 8:22 p.m.7 views

GHSA-RM3J-F69W-WQMQ vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-kendra, crossplane-provider-aws-kendra-fips, crossplane-provider-aws-opensearchserverless-fips, docker-cli-buildx-fips, wal-g, crossplane-provider-aws-efs-fips, crossplane-provider-azure-relay, argo-cd-fips, policy-controller, coder,...

6.1AI score
Exploits0
cgr
cgr
added 2026/06/26 8:22 p.m.12 views

GHSA-Q4H4-GMJ2-QVW2 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-kendra, crossplane-provider-aws-kendra-fips, crossplane-provider-aws-opensearchserverless-fips, docker-cli-buildx-fips, wal-g, crossplane-provider-aws-efs-fips, crossplane-provider-azure-relay, argo-cd-fips, policy-controller, coder,...

6.1AI score
Exploits0
nvd
nvd
added 2026/06/23 7:17 p.m.13 views

CVE-2026-54322

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the targe...

7.7CVSS0.00186EPSS
Exploits0References1
nvd
nvd
added 2026/06/23 1:16 p.m.13 views

CVE-2026-56222

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/rolebindings that fails to verify appid ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by...

8.6CVSS0.00356EPSS
Exploits0References2
euvd
euvd
added 2026/06/23 12:12 p.m.7 views

EUVD-2026-38428

Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers get/put/delete/post. API keys created with mode=all but restricted to a single app via limitedtoapps are only checked for limitedtoorgs and not for limitedtoapps, so an app-scoped key ca...

8.7CVSS5.9AI score0.00292EPSS
Exploits0References2
euvd
euvd
added 2026/06/23 12:12 p.m.9 views

EUVD-2026-38427

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/rolebindings that fails to verify appid ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by...

8.6CVSS6AI score0.00356EPSS
Exploits0References2
snyk
snyk
added 2026/06/18 1:7 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the user provisioning process. An attacker can gain unauthorized access to user records across organizational boundaries by recreating a deleted user with the same identifier in a...

4.2CVSS5.9AI score0.00286EPSS
Exploits0References3
snyk
snyk
added 2026/06/16 11:41 p.m.4 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the checkTokenPublicOnly function. An attacker can access private organization data by using a public-only scoped API token to enumerate organizations, thereby bypassing intended access restrictions. Remediation...

5.3CVSS5.9AI score0.00271EPSS
Exploits0References2
snyk
snyk
added 2026/06/16 11:41 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the checkTokenPublicOnly function. An attacker can access private organization data by using a public-only scoped API token to enumerate organizations, thereby bypassing intended access restrictions. Remediation...

5.3CVSS5.9AI score0.00271EPSS
Exploits0References2
github
github
added 2026/06/16 11:41 p.m.10 views

Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw

Summary Two related issues in the token public-only scope enforcement introduced by PR 32204 CVE-2025-68941 fix. A public-only scoped API token can access private organization data. Issue 1: /user/orgs missing checkTokenPublicOnly routers/api/v1/api.go line 1599: go m.Get"/user/orgs", reqToken,...

5.3CVSS7.6AI score0.00271EPSS
Exploits0References2Affected Software1
ptsecurity
ptsecurity
added 2026/06/16 12:0 a.m.20 views

PT-2026-50135

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An issue exists in the token public-only scope enforcement where a public-only scoped API token can access private organization data. This occurs due to two flaws: the endpoint '/user/orgs' is...

4.3CVSS5.8AI score0.00271EPSS
Exploits0References12
wired
wired
added 2026/06/09 5:0 p.m.28 views

Anthropic Offers Mythos Upgrade for Cyber Partners and a ‘Safe’ Version for the Rest of You

Anthropic is releasing Claude Mythos 5 to trusted organizations and Claude Fable 5 to the public, a version it says can’t be used for cyberattacks...

5.5AI score
Exploits0
trendmicroblog
trendmicroblog
added 2026/06/08 12:0 a.m.10 views

Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open

Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, showing how unmanaged software keeps an exploited entry point open long after the fix ships...

8.8CVSS7.3AI score0.80906EPSS
Exploits35
redhatcve
redhatcve
added 2026/06/05 7:32 p.m.9 views

CVE-2026-6863

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...

6.8CVSS5.2AI score0.00236EPSS
Exploits0References1
cnnvd
cnnvd
added 2026/06/04 12:0 a.m.10 views

MISP 安全漏洞

MISP is a set of open-source software solutions developed by MISP. This product is used for collecting, storing, distributing, and sharing network security metrics. It also includes functions such as analysis of threats to network security and malware analysis. MISP has a security vulnerability...

5.1CVSS5.4AI score0.00154EPSS
Exploits0References1
cvelist
cvelist
added 2026/05/29 4:11 p.m.41 views

CVE-2026-45632 Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId...

9.9CVSS0.00256EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/05/28 3:27 a.m.12 views

CVE-2026-9791

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

4.3CVSS5.7AI score0.00214EPSS
Exploits0References7
snyk
snyk
added 2026/05/28 3:8 a.m.13 views

Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An attacker can...

7.1CVSS5.3AI score0.00214EPSS
Exploits0References2
Rows per page
Query Builder