CVE-2026-3139 User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppbsaveavatarvalue function due to missing validation on a user controlled key...

Attacker can gain control of counterfactual wallet

Lines of code Vulnerability details A counterfactual wallet can be used by pre-generating its address using the SmartAccountFactory.getAddressForCounterfactualWallet function. This address can then be securely used for example, sending funds to this address knowing in advance that the user will...

NameWrapper: Cannot prevent transfer while upgrade even with CANNOT_TRANSFER fuse regardless of the upgraded NameWrapper's implementation

Lines of code Vulnerability details Impact Upon upgrade to a new NameWrapper contract, owner of the node will be set to the given wrappedOwner. Since the node will be burned before calling the upgraded NameWrapper, the upgraded NameWrapper cannot check the old owner. Therefore, no matter the...

MIMOProxy.sol can change owner, but not all contracts expect it. Registry.getCurrentProxy() can give wrong outputs.

Lines of code Vulnerability details Impact Registry.getCurrentProxy is expected to return the individual Proxy.sol for a user EOA. But Proxy.sol can change its owner, and Registry will not know it. Thus Registry.getCurrentProxy only show a deployers, and it means nothing for the project. Also,...

[H1] MIMOProxy can be PWNED by malicious delegate call

Lines of code Vulnerability details Impact PBR proxy owner change protection can bypassed / DoS PoC PRBProxy has a protection to prevent malicious delegatecall to overwrite owner. function executeaddress target, bytes calldata data public payable override returns bytes memory response ... ... //...

Jenkins Job and Node ownership Plugin 访问控制错误漏洞

Jenkins is a Jenkins open source application. An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Job and Node ownership Plugin 0.13.0 and earlier versions are vulnerable to an authorization issue that stems from...

CVE-2019-15078

An issue was discovered in a smart contract implementation for AIRDROPX BORN through 2019-05-29, an Ethereum token. The name of the constructor has a typo wrong case: XBornID versus XBORNID that allows an attacker to change the owner of the contract and obtain cryptocurrency for free...

OPENSUSE-SU-2020:1304-1 Security update for inn

This update for inn fixes the following issues: - change file owners in /usr/lib/news to root boo1172573 CVE-2020-8026 This update was imported from the openSUSE:Leap:15.1:Update update project...

Business Alliance Financial Circle Security Breach

Business Alliance Financial Circle BAFC is a cryptocurrency. A security vulnerability exists in the 'UBSexToken' function in BAFC's smart contract implementation, which stems from the fact that the function is publicly available and does not check the identity of the caller. An attacker could use...

openstack-keystone: Credentials endpoint policy logic allows changing credential owner and target project ID

A vulnerability was found in Keystone's EC2 credentials API. This flaw allows any authenticated user to create an EC2 credential for themselves for a project that they have a specified role, and then perform an update to the credential user and project, allowing them to masquerade as another user...

Other vulnerabilities exist in the ethereum smart contract Tubigo 0x43EFc486d1c7c5Cb0193E409a73Aa33786F5197c

TubigoToken is an ERC20 token on a table. The smart contract address is 0x43EFc486d1c7c5Cb0193E409a73Aa33786F5197c, and its function Mining24 at line 102 can modify the Owner without any permission check. The attacker can call the withdraw function line 274 to transfer all the ether in the contra...

BOMBBA Authorization Issue Vulnerability

BOMBBA BOMB is a cryptocurrency.A security vulnerability exists in the 'quaker' function of BOMB's smart contract implementation, which stems from the fact that the function does not check the identity of the caller. An attacker could use the vulnerability to modify the owner of the smart contrac...

Business Alliance Financial Circle has a logic flaw vulnerability

Business Alliance Financial Circle BAFC is a cryptocurrency.A security vulnerability exists in the 'UBSexToken' function in BAFC's smart contract implementation, which stems from the fact that the function is publicly available and does not check the identity of the caller. The vulnerability can ...

NewIntelTechMedia License Issues Vulnerabilities

NewIntelTechMedia NETM is a cryptocurrency.A security vulnerability exists in the 'NETM' function in NETM's smart contract implementation, which stems from the fact that the function does not check the identity of the caller. An attacker could use the vulnerability to modify the owner of the smar...

DDQ Authorization Issues Vulnerability

DDQ is a cryptocurrency.A security vulnerability exists in the 'owned' function of DDQ's smart contract implementation, which stems from the fact that the function does not check the identity of the caller. An attacker could use the vulnerability to modify the owner of a smart contract...

Business Alliance Financial Circle (BAFC) Overreach Vulnerability

Business Alliance Financial Circle BAFC is a cryptocurrency. The 'UBSexToken' function in BAFC's smart contract implementation is vulnerable to an overreach vulnerability that stems from the fact that the function is publicly available and does not check the identity of the caller. An attacker...

CVE-2018-19834

The quaker function of a smart contract implementation for BOMBBA BOMB, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity...

CVE-2018-19830

The UBSexToken function of a smart contract implementation for Business Alliance Financial Circle BAFC, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function is public by default and does not check the caller's identity...

Code injection

The ToOwner function of a smart contract implementation for Cryptbond Network CBN, an tradable Ethereum ERC20 token, allows attackers to change the owner of the contract, because the function does not check the caller's identity...

CVE-2018-19831

CVE-2018-19831 describes a permission issue in the Cryptbond Network (CBN) smart contract: the ToOwner() function does not validate the caller, enabling an attacker to modify the contract owner. Connected CNVD entries (CNVD-2020-43491 and CNVD-2020-43490) corroborate an authorization/overreach vu...