Lucene search
K

35 matches found

CVE
CVE
added 2 days ago13 views

CVE-2026-57870

CVE-2026-57870 describes a broken object-level access control flaw in MicroRealEstate’s Template API (up to version 1.0.0-alpha3). The underlying issue allows an attacker to retrieve document templates used by other organizations without authorization. Affected software is MicroRealEstate, with t...

5.3CVSS6AI score0.00215EPSS
Exploits0References2
NVD
NVD
added 2026/06/23 7:17 p.m.11 views

CVE-2026-54322

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the targe...

7.7CVSS0.00186EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 1:16 p.m.13 views

CVE-2026-56222

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/rolebindings that fails to verify appid ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by...

8.6CVSS0.00356EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/23 12:12 p.m.9 views

EUVD-2026-38427

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/rolebindings that fails to verify appid ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by...

8.6CVSS6AI score0.00356EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:32 p.m.9 views

CVE-2026-6863

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...

6.8CVSS5.2AI score0.00236EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.9 views

MISP 安全漏洞

MISP is a set of open-source software solutions developed by MISP. This product is used for collecting, storing, distributing, and sharing network security metrics. It also includes functions such as analysis of threats to network security and malware analysis. MISP has a security vulnerability...

5.1CVSS5.4AI score0.00154EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 4:11 p.m.38 views

CVE-2026-45632 Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId...

9.9CVSS0.00256EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 6:17 p.m.61 views

CVE-2026-44204

Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user any role to execute arbitrary SQL and read data from any table in the database, including data belonging to...

6.5CVSS0.00228EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/08 12:0 a.m.9 views

solidtime 安全漏洞

Solidtime is an open-source time tracking application developed by Solidtime developers. Version 0.12.0 of Solidtime contains a security vulnerability. This vulnerability stems from the fact that the PUT /api/v1/organizations/organization/time-entries/timeEntry API accepts routing bindings for...

5.8CVSS5.8AI score0.00266EPSS
Exploits1References1
OSV
OSV
added 2026/05/06 6:30 p.m.3 views

GHSA-2V93-VP82-CJV8 Velocidex Velociraptor has an Incorrect Authorization issue

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...

6.8CVSS5.7AI score0.00236EPSS
Exploits0References3
NVD
NVD
added 2026/05/06 4:16 p.m.20 views

CVE-2026-6863

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...

6.8CVSS0.00236EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/06 2:50 p.m.8 views

CVE-2026-6863

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...

6.8CVSS5.7AI score0.00236EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.15 views

PT-2026-37643

Name of the Vulnerable Software and Affected Versions Velociraptor versions prior to 0.76.4 Description A cross organization authorization bypass exists in the HTTP API. A user assigned the reader role in the root organization, which possesses only READ RESULTS permission, can perform an...

6.8CVSS5.7AI score0.00236EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/03/20 2:46 p.m.6 views

CVE-2026-33132

A flaw was found in ZITADEL, an open-source identity management platform. A user could bypass organization enforcement during authentication due to missing controls in device authorization requests and specific login and OIDC API endpoints. This allowed users to sign in with credentials from othe...

5.3CVSS5.7AI score0.00309EPSS
Exploits0References7
Snyk
Snyk
added 2026/03/18 12:42 a.m.3 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the GroupEventJsonView endpoint. An attacker can access event data belonging to other organizations by specifying identifiers for resources outside their authorized scope. Note: This...

7.1CVSS5.8AI score0.00241EPSS
Exploits1References3
NVD
NVD
added 2026/03/11 10:16 p.m.3 views

CVE-2026-32131

ZITADEL is an open source identity management platform. Prior to 3.4.8 and 4.12.2, a vulnerability in Zitadel's Management API has been reported, which allowed authenticated users holding a valid low-privilege token e.g., project.read, project.grant.read, or project.app.read to retrieve...

7.7CVSS0.00393EPSS
Exploits0References3
OSV
OSV
added 2026/02/02 11:16 a.m.5 views

CVE-2024-4147

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, on...

6.5CVSS5.8AI score0.00388EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/02/02 10:36 a.m.28 views

CVE-2024-4147 Insufficient Access Control in lunary-ai/lunary

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, on...

7.5CVSS0.00388EPSS
Exploits1References2
EUVD
EUVD
added 2026/02/02 10:36 a.m.5 views

EUVD-2024-32706

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, on...

7.5CVSS5.5AI score0.00388EPSS
Exploits1References3
CVE
CVE
added 2026/02/02 10:36 a.m.14 views

CVE-2024-4147

CVE-2024-4147 affects lunary-ai/lunary v1.2.13. The flaw is insufficient access-control granularity: deletion checks only resource-permission, not ownership by project/organization, enabling deletion of prompts from other organizations. This can cause legitimate users to lose access and data inco...

7.5CVSS5.5AI score0.00388EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder