Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the cani callback, which issues SubjectAccessReview requests without enforcing context-aware allow-lists. An attacker can obtain information about RBAC permissions of any user or service account across the...

EUVD-2026-24969

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up...

CVE-2026-35353 uutils coreutils mkdir Permission Exposure Race Condition with -m

The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions typically 0755 before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces ...

CVE-2026-24997 WordPress Wired Impact Volunteer Management plugin <= 2.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a through = 2.8...

CVE-2025-66513 Nextcloud Tables app share information not limited to relevant users

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table numeric ID is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9,...

EUVD-2025-201441

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table numeric ID is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9,...

Moodle exposed the names of hidden groups to users

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information...

EUVD-2025-9524

Malicious code in bioql PyPI...

CVE-2025-41099

Insecure Direct Object Reference IDOR vulnerability in BOLD Workplanner in versions prior to 2.5.25 4935b438f9b, consisting of a lack of adequate validation of user input, allowing an authenticated user to access to the list of permissions using unauthorised internal identifiers...

PT-2025-39979

Name of the Vulnerable Software and Affected Versions BOLD Workplanner versions prior to 2.5.25 Description An Insecure Direct Object Reference IDOR issue exists in BOLD Workplanner. The problem stems from insufficient validation of user input, which allows an authenticated user to access a list ...

USN-5495-2 curl regression

USN-5495-1 fixed vulnerabilities in curl. The fix for CVE-2022-32205 miscalculated the maximum cookie size, causing a regression. This update fixes the problem. Original advisory details: Harry Sintonen discovered that curl incorrectly handled certain cookies. An attacker could possibly use this...

MedDream PACS Premium setup incorrect default permissions vulnerability

Talos Vulnerability Report TALOS-2025-2154 MedDream PACS Premium setup incorrect default permissions vulnerability July 28, 2025 CVE Number CVE-2025-26469 SUMMARY An incorrect default permissions vulnerability exists in the CServerSettings::SetRegistryValues functionality of MedDream PACS Premium...

CVE-2025-43700

Improper Preservation of Permissions vulnerability in Salesforce OmniStudio FlexCards allows exposure of encrypted data. This impacts OmniStudio: before Spring 2025...

CVE-2024-4226

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed...

CVE-2024-13948

CVE-2024-13948 describes an information-disclosure vulnerability in ABB ASPECT family tools (ASPECT-Enterprise, NEXUS Series, MATRIX Series) caused by Windows permissions not being fully secured for ASPECT configuration toolsets. The root cause is an incorrect default privilege flaw that can expo...

CVE-2025-2786

A flaw was found in Tempo Operator, where it creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This flaw allows a user with full access to their namespace to extract the ServiceAccount token and use it to submit TokenReview...

Google Cloud Platform Data Destruction via Cloud Build

Background & Public Research Google Cloud Platform GCP Cloud Build is a Continuous Integration/Continuous Deployment CI/CD service offered by Google that is utilized to automate the building, testing and deployment of applications. Orca Security published an article describing certain aspects of...

PT-2024-8934 · Rockwell Automation · Factorytalk System Services +1

Name of the Vulnerable Software and Affected Versions: FactoryTalk Policy Manager affected versions not specified FactoryTalk System Services affected versions not specified Description: The issue is related to insufficient private key storage permissions in the software, potentially allowing an...

CVE-2024-4226

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed...

CVE-2024-2905

A security vulnerability has been discovered within rpm-ostree, pertaining to the /etc/shadow file in default builds having the world-readable bit enabled. This issue arises from the default permissions being set at a higher level than recommended, potentially exposing sensitive authentication da...