Lucene search
K

198 matches found

Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.16 views

PT-2026-40563

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S Post Tools::deleteUserPublishPost and B2S Post Tools::deleteUserSchedPost...

5.4CVSS5.9AI score0.00409EPSS
Exploits0References14
EUVD
EUVD
added 2026/05/12 6:30 p.m.11 views

EUVD-2026-29551

Insufficient ownership checks in clientarea.php allow an authenticated client area user to submit requests using another user’s addonId without any ownership validation leading to unauthorized access to the victim's resources and their cPanel account...

10CVSS5.8AI score0.00319EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/12 5:46 p.m.8 views

CVE-2026-29204

Insufficient ownership check in clientarea.php allows an authenticated client area user to submit requests using another user’s addonId without any ownership validation leading to unauthorized access to the victim's account...

9.1CVSS5.8AI score0.00319EPSS
Exploits1References1
CVE
CVE
added 2026/05/12 5:46 p.m.16 views

CVE-2026-29204

CVE-2026-29204 concerns insufficient ownership checks in the PHP script clientarea.php, enabling an authenticated client to submit requests using another user’s addonId and access the victim’s resources and their cPanel account. The connected documents confirm this is a high-severity issue with e...

9.1CVSS5.8AI score0.00319EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/12 5:46 p.m.37 views

CVE-2026-29204

Insufficient ownership check in clientarea.php allows an authenticated client area user to submit requests using another user’s addonId without any ownership validation leading to unauthorized access to the victim's account...

9.1CVSS0.00319EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.10 views

WebPros WHMCS 安全漏洞

WebPros WHMCS is a customer management and automated billing platform provided by the Swiss company WebPros, aimed at hosting providers and domain service providers. There is a security vulnerability in WebPros WHMCS, which stems from insufficient ownership checks in the clientarea.php file. This...

9.1CVSS5.8AI score0.00319EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.13 views

PT-2026-40319

Name of the Vulnerable Software and Affected Versions WHMCS versions 7.4 through 8.13.2 WHMCS versions 9.0 through 9.0.3 Description Insufficient ownership checks in the 'clientarea.php' endpoint allow an authenticated client area user to submit requests using another user's addonId without...

9.1CVSS5.8AI score0.00319EPSS
Exploits1References11
RedhatCVE
RedhatCVE
added 2026/05/11 8:26 p.m.11 views

CVE-2026-42456

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace...

4.3CVSS5.7AI score0.00301EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.17 views

PT-2026-39671

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.6.19 Description An Insecure Direct Object Reference IDOR exists in the channels message management system, allowing authenticated users to modify or delete any message within channels where they have read access...

7.1CVSS5.8AI score0.00266EPSS
Exploits1References6
NVD
NVD
added 2026/05/08 4:16 a.m.16 views

CVE-2026-41498

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

3.3CVSS0.00247EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/08 3:30 a.m.5 views

CVE-2026-41498

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

3.3CVSS5.8AI score0.00247EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/05/08 3:30 a.m.2 views

CVE-2026-41498 Kimai: Team API Missing Object-Level Authorization

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

3.3CVSS5.9AI score0.00247EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.16 views

PT-2026-34842

The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi remove custom image size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with...

5.3CVSS5.8AI score0.00318EPSS
Exploits0References8
EUVD
EUVD
added 2026/04/17 10:19 p.m.6 views

EUVD-2026-23520

Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows...

5.4CVSS5.8AI score0.00108EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/13 7:31 p.m.7 views

Note Mark has Broken Access Control on Asset Download

Summary A broken access control vulnerability allows unauthenticated users to retrieve note assets directly from the asset download endpoint when they know both the note UUID and asset UUID. This exposes the full contents of private note assets without authentication, even when the associated boo...

5.9CVSS5.8AI score0.00409EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/04/10 1:24 a.m.33 views

CVE-2026-4057 Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the makeMediaPublic and makeMediaPrivate functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for editposts capability...

4.3CVSS0.00373EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/03/30 5:58 p.m.3 views

CVE-2026-33030 Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct...

8.8CVSS5.9AI score0.0028EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/03/30 5:58 p.m.2 views

CVE-2026-33030

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct...

8.8CVSS5.9AI score0.0028EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.5 views

PT-2026-29091

Nginx-UI and Affected Versions Nginx-UI versions 2.3.3 and prior Description Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a us...

9.9CVSS5.9AI score0.60368EPSS
Exploits18References49
CNNVD
CNNVD
added 2026/03/27 12:0 a.m.7 views

Langflow 安全漏洞

Langflow is an open-source visualization framework developed by Langflow for building multi-agent and RAG applications. Versions of Langflow prior to 1.5.1 contained security vulnerabilities. These vulnerabilities stemmed from a lack of ownership checks in the readflow assistant, which could allo...

8.8CVSS5.8AI score0.00468EPSS
Exploits0References3
Rows per page
Query Builder