CVE-2026-13350

Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create...

CVE-2026-13350

Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create...

CVE-2026-57299

Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata...

CVE-2026-57291

Missing permission checks in Jenkins Gitee Plugin 1288.v18bdebc9069b and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method...

CVE-2026-57299

CVE-2026-57299: Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read to enumerate the names of configured Contrast metadata. Public references (NVD, CVE lists, Alpine, EUVD, Att&CK entries, and the Jenkins security...

EUVD-2026-38772

Missing permission checks in Jenkins Gitee Plugin 1288.v18bdebc9069b and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method...

CVE-2026-57291

CVE-2026-57291 affects Jenkins Gitee Plugin (version 1288.v18b_deb_c9069b_ and earlier). The issue is missing permission checks in the plugin, allowing attackers with Overall/Read permissions to connect to an attacker-controlled URL using attacker-controlled credentials IDs obtained through anoth...

CVE-2026-57291

Missing permission checks in Jenkins Gitee Plugin 1288.v18bdebc9069b and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method...

Missing permission checks in contrast-continuous-application-security allow enumerating Contrast metadata

contrast-continuous-application-security 3.11 and earlier does not perform permission checks in several HTTP endpoints that fill list box options with the names of the configured Contrast metadata. This allows attackers with Overall/Read permission to enumerate the names of configured Contrast...

CVE-2026-54555

rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an...

CVE-2026-8074

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/id/active API...

CVE-2026-8074

Mattermost CVE-2026-8074 affects Mattermost versions 11.7.x (<=11.7.0) and 10.11.x (

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: genetlink: Fixed the issue where genlbind invokes bind after -EPERM. Callbacks for bind and unbind were introduced to allow systems to track the presence of multicast group consumers. For example, these callbacks can be used to...

Astra Linux – Vulnerability in Linux

In the rbd block device driver located in drivers/block/rbd.c within the Linux kernel, up to version 5.8.9, incomplete permission checks were used for accessing rbd devices. This could have been exploited by local attackers to map or unmap rbd block devices, specifically the CID-f44d04e696fe devi...

Astra Linux – Vulnerability in Zabbix

The request to LDAP is sent before checking the user permissions...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: nsfs: Permission checks for ns iteration ioctls have been tightened. Even privileged services should not necessarily be able to access the namespaces of other privileged services, so that they cannot leak information to each othe...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: dochangetype: refusal to operate on unmounted/not ours mounts. It is ensured that propagation settings can only be changed for mounts located within the caller’s mount namespace. This change aligns permission checks with those of...

Astra Linux – Vulnerability in Linux, Linux-6.1

Local privilege escalation vulnerability in Ubuntu Kernels overlayfs: Ovlcopyupmeta inodedata function skips permission checks when calling ohldosetxattr on Ubuntu kernels...

PT-2026-51121

Name of the Vulnerable Software and Affected Versions SpiceDB versions prior to 1.54.0 Description Under concurrency, the CheckPermission and CheckBulkPermissions functions can incorrectly return PERMISSIONSHIP HAS PERMISSION instead of PERMISSIONSHIP CONDITIONAL PERMISSION for a specific resourc...

CVE-2026-49205 phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)

phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this-userHasPermissionPermissionType::BACKUP. The same fix was not applied to 4 other write endpoints...