52979 matches found
ArgoCD Project API Token Repository Credentials Exposure
Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwords through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability...
CVE-2026-27775
Summary: CVE-2026-27775 affects Gitea 1.25.5, where a branch-specific write-permission result is cached across multiple refs in a single pre-receive hook session. This permits a per-branch maintainer-edit grant to be reused on other refs, potentially escalating to full repository write access. Im...
CVE-2026-26231
Gitea versions up to 1.26.1 expose an Authorization Bypass via the Allow edits from maintainers option. The root cause is the PR-create flow binding allow_maintainer_edit=true without verifying the submitter’s write access to the HEAD repository, enabling reverse-fork PR abuse to authorize pushes...
CVE-2026-25712
The CVE-2026-25712 issue affects Gitea prior to version 1.25.5, where organization permission APIs lack sufficient visibility checks for hidden members and private organizations. The root cause is insufficient visibility checks within the organization APIs, leading to exposure of private visibili...
EUVD-2026-41622
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations...
CVE-2026-25712
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations...
CVE-2026-24690
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches...
CVE-2026-22555
CVE-2026-22555 affects Gitea before 1.26.0. The vulnerability arises because the API endpoint POST /api/v1/repos/{owner}/{repo}/forks does not enforce CanCreateOrgRepo for organization forks, only IsOrgMember, enabling a user in a read-only team to create an org-repo fork. The fork creator gains ...
EUVD-2026-41557
A flaw was found in the Fine-Grained Admin Permissions FGAP v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a...
CVE-2026-14615
A flaw was found in the Fine-Grained Admin Permissions FGAP v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a...
CVE-2026-14614
The CVE-2026-14614 entry concerns Keycloak’s admin services, specifically the ClientResource component under FGAP v2. It describes a bypass where a delegated administrator can attach or remove hidden client scopes beyond their visibility/permission, potentially injecting unauthorized data or perm...
CVE-2026-14613
Technical details are not publicly available in the provided documents. Monitor for updates from Red Hat/NVD for affected Keycloak FGAP v2 integration and any patched versions.
EUVD-2026-41555
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions FGAP v2 are turned on, an administrator who is allowed to see a specific "role" can...
CVE-2026-14613
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions FGAP v2 are turned on, an administrator who is allowed to see a specific "role" can...
Atlassian Jira <7.13.3/8.0.0-8.1.1 - Incorrect Authorization
Atlasssian Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 is susceptible to incorrect authorization. The ManageFilters.jspa resource allows a remote attacker to enumerate usernames via an incorrect authorization check, thus possibly obtaining sensitive information, modifyi...
BIQS IT Biqs-drive v1.83 Local File Inclusion
A local file inclusion vulnerability exists in version BIQS IT Biqs-drive v1.83 and below when sending a specific payload as the file parameter to download/index.php. This allows the attacker to read arbitrary files from the server with the permissions of the configured web-user. id: CVE-2021-394...
CVE-2026-44268
Dell PowerProtect Data Domain (versions 7.7.1.0–8.6, plus LTS2026 8.6.1.0–8.6.1.10, LTS2025 8.3.1.0–8.3.1.30, LTS2024 7.13.1.0–7.13.1.70) contains an incorrect permission assignment for a critical resource vulnerability. A high-privileged attacker with local access could potentially exploit this ...
EUVD-2026-37813
Steeltoe's sensitive actuators heapdump/env only require Restricted permission...
CVE-2026-59093
Weaviate prior to 1.38.0 fails to verify that a principal granting RBAC roles actually has permissions within those roles. The assignRoleToUser and assignRoleToGroup endpoints (POST /authz/users/{id}/assign, /authz/groups/{id}/assign) only check that the caller may assign roles, not the permissio...
EUVD-2026-41424
Weaviate before 1.38.0 does not verify that a principal performing an RBAC role assignment holds the permissions granted by the assigned role. The assignRoleToUser and assignRoleToGroup handlers POST /authz/users/id/assign and /authz/groups/id/assign authorize only that the caller may assign role...