Vikunja vulnerable to Privilege Escalation via Project Reparenting

Summary A user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project,...

CVE-2025-13326 Mattermost Desktop App fails to enable Hardened Runtime when packaged for Mac App Store

Mattermost Desktop App versions 6.0.0 fail to enable the Hardened Runtime on the Mattermost Desktop App when packaged for Mac App Store which allows an attacker to inherit TCC permissions via copying the binary to a tmp folder...

CVE-2025-14714 TCC Bypass via Inherited Permissions in Bundled Interpreter

An Authentication Bypass vulnerability existed where the application bundled an interpreter Python that inherits the Transparency, Consent, and Control TCC permissions granted by the user to the main application bundle By executing the bundled interpreter directly the attacker's scripts run with...

CVE-2025-64746 Directus has Improper Permission Handling on Deleted Fields

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This...

EUVD-2022-41056

Malicious code in bioql PyPI...

CVE-2025-36104

IBM Storage Scale 5.2.3.0 and 5.2.3.1 could allow an authenticated user to obtain sensitive information from files due to the insecure permissions inherited through the SMB protocol...

CVE-2024-24747

MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for s3: actions, but also admin: actions. Which means unless somewhere above in the access-key hierarchy, the admin rights are denied, access keys will be able t...

minio -- privilege escalation via permissions inheritance

Minio security advisory GHSA-xx8w-mq23-29g4 ports: When someone creates an access key, it inherits the permissions of the parent key. Not only for s3: actions, but also admin: actions. Which means unless somewhere above in the access-key hierarchy, the admin rights are denied, access keys will be...

Design/Logic Flaw

The C:\Program Files x86\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Tempnsu.tmp and copies itself to it as Au.exe. The C:\Windows\Tempnsu.tmp\Au.exe file is automatically launched as SYSTEM when the system reboots or when a standard user runs an MSI...

DEBIAN-CVE-2022-29909

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird 91.9, Firefox ESR 91.9, and Firefox 100...

CVE-2022-29909

CVE-2022-29909 is a Firefox/Thunderbird vulnerability described as privilege escalation via deeply-nested cross-origin browsing contexts that could inherit top-level permissions. Affected products and versions from connected advisories: Thunderbird < 91.9 and Firefox (including ESR)

Mozilla: Cross-origin XSLT Documents would have inherited the parent's permissions

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of a cross-origin iframe referencing an XSLT document inheriting the parent domain's permissions such as microphone or camera access...

Mozilla: Bypassing permission prompt in nested browsing contexts

The Mozilla Foundation Security Advisory describes this flaw as: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions...

Mozilla: Bypassing permission prompt in nested browsing contexts

The Mozilla Foundation Security Advisory describes this flaw as: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions...

Mozilla: Bypassing permission prompt in nested browsing contexts

The Mozilla Foundation Security Advisory describes this flaw as: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions...

CVE-2022-29909

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird 91.9, Firefox ESR 91.9, and Firefox 100...

UBUNTU-CVE-2022-29909

Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions. This vulnerability affects Thunderbird 91.9, Firefox ESR 91.9, and Firefox 100...

CVE-2022-29909

The Mozilla Foundation Security Advisory describes this flaw as: Documents in deeply-nested cross-origin browsing contexts could have obtained permissions granted to the top-level origin, bypassing the existing prompt and wrongfully inheriting the top-level permissions...

Hack tricks with QQ skin to do a backdoor invasion-vulnerability warning-the black bar safety net

A few days ago lcx prompted to say and QQ overflow vulnerability, and then suddenly the reminders I used to have a few QQ. vbs file didn't seriously go read it. So into the directory looking for it, this look does not matter Ah, almost weighs that. The original We for QQ of operation is like this...