CVE-2026-41128

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

WordPress plugin miniorange otp verification 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. WordPress...

GHSA-R8WH-8M7R-FH33 Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file

Summary A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. Details All files/ related endpoints lack permission checks. Listing all files For example, let's see how file listing ...

CVE-2026-41959

CVE-2026-41959 affects BIG-IP/BIG-IQ TMOS Shell (tmsh) network diagnostics and iControl REST. Root cause: incorrect permission assignments allow an authenticated user to view destination systems’ network status. Impact: control-plane exposure (viewing network status) with no data-plane exposure; ...

K000156581: iControl REST and tmsh vulnerability CVE-2026-40462

Security Advisory Description Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS Shell tmsh undisclosed command which may allow an authenticated attacker to view sensitive information. CVE-2026-40462 Impact An authenticated attacker may exploit these vulnerabilities b...

F5 BIG-IP 安全漏洞

F5 BIG-IP is an application delivery platform developed by F5 Technologies in the United States. It integrates functions such as network traffic management, application security management, and load balancing. F5 BIG-IP has a security vulnerability that stems from improper permission allocation,...

CVE-2026-6499

Incorrect Permission Assignment for Critical Resource vulnerability in ILM Informatique OpenConcerto allows Replace Binaries. This issue affects OpenConcerto: 1.7.5...

Rapid7 Insight Agent 安全漏洞

Rapid7 Insight Agent is a lightweight software developed by Rapid7 Corporation in the United States. This software is capable of collecting data from IT assets. Rapid7 Insight Agent has a security vulnerability, which stems from improper permissions settings in the client key file. This...

CVE-2026-40071

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/packageorder, /json/linkorder, and /json/abortlink WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execut...

CVE-2026-26096

Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request...

CVE-2026-25531

Kanboard is affected by CVE-2026-25531 due to a missing permission check in the TaskCreationController::duplicateProjects() endpoint. The vulnerability allows an authenticated user to duplicate tasks into projects they should not access, enabling horizontal privilege escalation within Kanboard’s ...

OESA-2026-1279 python-wheel security update

A built-package format for Python. A wheel is a ZIP-format archive with a specially formatted filename and the .whl extension. It is designed to contain all the files for a PEP 376 compatible install in a way that is very close to the on-disk format. Security Fixes: wheel is a command line tool f...

WordPress plugin ELEX WordPress HelpDesk & Customer Ticketing System 安全漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A security vulnerability exists in the WordPress plugin ELEX WordPress HelpDesk & Customer...

CVE-2026-21865

Discourse advisory CVE-2026-21865 affects Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, where moderators could convert some personal messages to public topics despite lacking access. The issue is patched in 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Remediation options in...

CVE-2026-23875 CrawlChat's Discord Bot has a Knowledge Permission vulnerability

CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base...

CVE-2023-25645

There is a permission and access control vulnerability in some ZTE AndroidTV STBs. Due to improper permission settings, non-privileged application can perform functions that are protected with signature/privilege-level permissions. Exploitation of this vulnerability could clear personal data and...

CVE-2025-23403

A vulnerability has been identified in SIMATIC IPC DiagBase All versions, SIMATIC IPC DiagMonitor All versions. The affected device do not properly restrict the user permission for the registry key. This could allow an authenticated attacker to load vulnerable drivers into the system leading to...

CVE-2019-16698

The directmail aka Direct Mail extension through 5.2.2 for TYPO3 has a missing access check in the backend module, allowing a user with restricted permissions to the feusers table to view and export data of frontend users who are subscribed to a newsletter...

Amazon Linux 2 : containerd, --advisory ALAS2NITRO-ENCLAVES-2025-078 (ALASNITRO-ENCLAVES-2025-078)

The version of containerd installed on the remote host is prior to 2.1.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2025-078 advisory. containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6,...

Medium: containerd

Issue Overview: containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths /var/lib/containerd,...