EUVD-2026-13917

Ory Hydra is an OAuth 2.0 Server and OpenID Connect Provider. Prior to version 26.2.0, the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs in Ory Hydra are vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens ar...

CVE-2026-33649

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/Permissions/setPermission.json.php endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application...

EUVD-2026-14486

AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification...

CVE-2026-33649

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/Permissions/setPermission.json.php endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application...

CVE-2026-28193

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint...

EUVD-2026-8651

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint...

CVE-2026-28193

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint...

CVE-2026-28193

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint...

CVE-2026-28193

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint...

CVE-2026-28193

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint...

CVE-2026-28193

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint...

CVE-2018-25129 SOCA Access Control System 180612 Information Disclosure via Multiple Endpoints

SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like...

CVE-2024-48905

Sematell ReplyOne 7.4.3.0 has Insecure Permissions for the /rest/sessions endpoint...

PT-2022-13805 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 6.4.1 and earlier Description: The issue is related to improper privilege management in Mattermost, where an API fails to properly protect permissions. This allows authenticated members with restricted custom admin roles t...

Ignited CMS Cross-Site Request Forgery Vulnerability (CNVD-2019-22258)

Ignited CMS is a content management system CMS. A cross-site request forgery vulnerability exists in index.php/admin/permissions in Ignited CMS on 2017-02-19 and prior versions, which stems from a networked system or product that does not adequately validate the origin or authenticity of data, an...

PT-2019-13298 · Ignited · Ignited Cms

Name of the Vulnerable Software and Affected Versions: Ignited CMS versions prior to 2017-02-19 Description: The issue allows for Cross-Site Request Forgery CSRF attacks, enabling an attacker to add an administrator account. This is related to the /index.php/admin/permissions endpoint...