Lucene search
K

175 matches found

Cvelist
Cvelist
added yesterday6 views

CVE-2026-27881 Coolify: Cross-team deployment information disclosure via GET /api/v1/deployments/{uuid} (IDOR)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, GET /api/v1/deployments/uuid in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any...

5CVSS
Exploits0References1
NVD
NVD
added 2 days ago7 views

CVE-2026-57498

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId$teamId before any operation. However, multiple Livewire web UI components accept...

9.6CVSS0.00223EPSS
Exploits0References1
CVE
CVE
added 2 days ago8 views

CVE-2026-57943

LibrePhotos (before 1.0.0) contains a broken object-level authorization vulnerability in the SetPhotosShared endpoint. An authenticated user can bypass ownership validation and manipulate shared_to relations to grant themselves access to other users’ private photos, effectively reading arbitrary ...

6CVSS5.9AI score0.0021EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-53734

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.474 Description Multiple Livewire web UI components fail to validate team ownership when processing server id and destination uuid passed via URL query parameters. While API controllers correctly use the...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References4
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-50739

A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the tracker-campaigns.php script in Revive Adserver 6.0.7 and earlier. As a result, a low‑privileged user could link their trackers to...

4.3CVSS0.00272EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 5:16 p.m.7 views

CVE-2026-34913

A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership...

4.3CVSS0.00235EPSS
Exploits1References1
NVD
NVD
added 2026/06/23 5:16 p.m.11 views

CVE-2026-34912

A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting i...

4.3CVSS0.00235EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:14 p.m.16 views

CVE-2026-34913

CVE-2026-34913 describes a missing access control check in Revive Adserver up to version 6.0.6 in the campaign-trackers.php workflow, where a low-privileged user could link trackers to campaigns owned by other managers on the same instance, leading to inconsistent ownership relationships. The und...

4.3CVSS5.8AI score0.00235EPSS
Exploits1References1
EUVD
EUVD
added 2026/06/23 4:14 p.m.6 views

EUVD-2026-38510

A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership...

4.3CVSS5.8AI score0.00235EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/23 4:14 p.m.30 views

CVE-2026-34912

A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting i...

4.3CVSS0.00235EPSS
Exploits1References1
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.4 views

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: rustbinder: Check ownership before using vma. When installing missing pages or zapping them, Rust Binder will look up the vma in the memory management unit by address, and then call vminsertpage or zappagerangesingle. However, if...

7.8CVSS5.7AI score0.00128EPSS
Exploits0References1
CVE
CVE
added 2026/06/18 3:41 a.m.28 views

CVE-2026-10023

Dok an: AI Powered WooCommerce Marketplace Solution

4.3CVSS5.7AI score0.0025EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/06/18 3:41 a.m.29 views

CVE-2026-10023 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the changeorderstatus, addordernote, deleteordernote,...

4.3CVSS0.0025EPSS
Exploits0References10
NVD
NVD
added 2026/06/12 7:16 p.m.16 views

CVE-2026-50244

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water...

6.9CVSS0.00221EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:21 p.m.17 views

CVE-2026-50244

CVE-2026-50244 affects the Naxclow IoT Platform. The registration endpoint accepts signed requests with a batch prefix and a caller-supplied account identifier without ownership validation, allowing an attacker to mint new sequential device identifiers and read the batch’s current high-water coun...

6.9CVSS5.3AI score0.00221EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 6:21 p.m.30 views

CVE-2026-50244 Naxclow IoT Platform Missing Authorization

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water...

6.9CVSS0.00221EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 6:21 p.m.13 views

CVE-2026-50244 Naxclow IoT Platform Missing Authorization

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water...

6.9CVSS5.4AI score0.00221EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.15 views

PT-2026-48959

The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water...

6.9CVSS5.3AI score0.00221EPSS
Exploits0References3
OSV
OSV
added 2026/06/04 5:19 a.m.8 views

MGASA-2026-0172 Updated lxc packages fix security vulnerability

CVE-2026-39402, lxc lxc-user-nic insufficient ownership validation allows cross-tenant OVS port deletion...

6.5CVSS5.8AI score0.00162EPSS
Exploits1References4
SUSE CVE
SUSE CVE
added 2026/06/04 2:23 a.m.7 views

SUSE CVE-2026-45283

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the fileslock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or...

6.3CVSS5.7AI score0.00211EPSS
Exploits0References3
Rows per page
Query Builder