CVE-2026-8176

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent Agent+ to overwrite a...

CVE-2026-35671

phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to...

EUVD-2026-25380

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...

EUVD-2006-3827

Malware in sbrugna...

EUVD-2023-12816

Malicious code in bioql PyPI...

VulnCheck KEV: CVE-2025-0674

Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user's password within the system. This grants them unauthorized...

CVE-2020-8553

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace ...

Elber Communications Equipment 安全漏洞

Elber Communications Equipment is a communications equipment from Elber. A security vulnerability exists in Elber Communications Equipment that stems from an authentication bypass issue that could allow an attacker to overwrite a user's password and gain unauthorized access...

CVE-2019-5162

An exploitable improper access control vulnerability exists in the iwwebs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as...

Omron CJ1M PLC

1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Omron Equipment: CJ1M PLC Vulnerabilities: Improper Access Control 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to bypass user memory protections by...

CVE-2021-25956

In “Dolibarr” application, v3.3.beta120121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since t...

PT-2021-16880 · Dolibarr · Dolibarr

Name of the Vulnerable Software and Affected Versions: Dolibarr versions 3.3.beta1 20121221 through 13.0.2 Description: The issue allows admin level users to change other user's details but fails to validate already existing Login name, while renaming the user Login. This leads to complete accoun...

CVE-2021-33538

In Weidmueller Industrial WLAN devices in multiple versions an exploitable improper access control vulnerability exists in the iwwebs account settings functionality. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access ...

PT-2021-20185 · Weidmueller · Weidmueller Industrial Wlan

Name of the Vulnerable Software and Affected Versions: Weidmueller Industrial WLAN devices affected versions not specified Description: The issue concerns an improper access control vulnerability in the account settings functionality of the device. Specifically, it affects the iw webs account...

CVE-2020-8553

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace ...

Default credentials

The Kubernetes ingress-nginx component prior to version 0.28.0 allows a user with the ability to create namespaces and to read and create ingress objects to overwrite the password file of another ingress which uses nginx.ingress.kubernetes.io/auth-type: basic and which has a hyphenated namespace ...

CVE-2019-5162

An exploitable improper access control vulnerability exists in the iwwebs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as...

Schneider Electric Modicon M221 < 1.6.2.0 Password Overwrite

Binary data 720153.prm...

Permission License Access Control Vulnerability in HOLLiAS_MACS Distributed Control System by HOLLiAS

HOLLIS Group is a professional automation company integrating R&D, production, sales and technical service. A privilege permission access control vulnerability exists in the HOLLiASMACS distributed control system of HOLLiS, which can be exploited by an attacker to overwrite the original password...

CVE-2018-7791

A Permissions, Privileges, and Access Control vulnerability exists in Schneider Electric's Modicon M221 product all references, all versions prior to firmware V1.6.2.0. The vulnerability allows unauthorized users to overwrite the original password with their password. If an attacker exploits this...