CVE-2026-46424 Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour

Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user...

Incorrect Privilege Assignment

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Incorrect Privilege Assignment in the POST /api/public/v1/roles/unassign endpoint. Users can retain their privileges up to one hour after bulk...

CVE-2025-63384

A vulnerability was discovered in RISC-V Rocket-Chip v1.6 and before implementation where the SRET Supervisor-mode Exception Return instruction fails to correctly transition the processor's privilege level. Instead of downgrading from Machine-mode M-mode to Supervisor-mode S-mode as specified by...

CVE-2025-63384

A vulnerability was discovered in RISC-V Rocket-Chip v1.6 and before implementation where the SRET Supervisor-mode Exception Return instruction fails to correctly transition the processor's privilege level. Instead of downgrading from Machine-mode M-mode to Supervisor-mode S-mode as specified by...

Rocket Chip Generator 安全漏洞

Rocket Chip Generator is an open source Sysem-on-Chip design generator from CHIPS Alliance Open Source. A security vulnerability exists in Rocket Chip Generator v1.6 and earlier versions, which stems from a failure of the SRET instruction to properly convert processor privilege levels, which coul...

CVE-2025-63384

CVE-2025-63384 affects RISC-V Rocket-Chip v1.6 and earlier. The SRET instruction fails to downgrade from M-mode to S-mode as dictated by sstatus.SPP, causing a privilege retention vulnerability where execution remains in Machine mode. Impact is described as high confidentiality risk with no repor...

PT-2025-46191

Name of the Vulnerable Software and Affected Versions RISC-V Rocket-Chip versions 1.6 and earlier Description A flaw exists in the handling of the SRET Supervisor-mode Exception Return instruction within the processor. Instead of correctly transitioning from Machine-mode M-mode to Supervisor-mode...

CVE-2025-10223

Insufficient Session Expiration CWE-613 in the Web Admin Panel in AxxonSoft Axxon One C-Werk prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with removed privileges via continued use of an unexpired session token until natural expiration...

AxxonSoft AxxonOne 安全漏洞

AxxonSoft AxxonOne is a video surveillance and security management software from AxxonSoft Ireland. A security vulnerability exists in AxxonSoft AxxonOne versions prior to 2.0.3, which stems from insufficient expiration of the Web Management Panel session, which may result in privilege retention...

Salesforce OmniStudio 安全漏洞

Salesforce OmniStudio is a digitization platform from US-based Salesforce, Inc. A security vulnerability exists in versions prior to Salesforce OmniStudio Spring 2025 that stems from an improper privilege retention issue that could lead to the bypass of OmniUICard object security controls...

Salesforce OmniStudio 安全漏洞

Salesforce OmniStudio is a digitization platform from US-based Salesforce, Inc. A security vulnerability exists in versions of Salesforce OmniStudio prior to 2025, which stems from an improper privilege retention issue that could lead to the disclosure of encrypted data...

Salesforce OmniStudio 安全漏洞

Salesforce OmniStudio is a digitization platform from US-based Salesforce, Inc. A security vulnerability exists in Salesforce OmniStudio versions prior to 2025 that stems from an improper privilege retention issue that could lead to field-level security control bypass...

Salesforce OmniStudio 安全漏洞

Salesforce OmniStudio is a digitization platform from US-based Salesforce, Inc. A security vulnerability exists in versions of Salesforce OmniStudio prior to 2025, which stems from an improper privilege retention issue that could lead to the disclosure of encrypted data...

Salesforce OmniStudio 安全漏洞

Salesforce OmniStudio is a digitization platform from US-based Salesforce, Inc. A security vulnerability exists in versions prior to Salesforce OmniStudio 254, which stems from an improper privilege retention issue that could lead to a data leak of customized settings...

MediaWiki 安全漏洞

MediaWiki is a suite of free and freely available web-based Wiki engines from the Wikimedia USA Foundation. It can be used to deploy in-house knowledge management and content management systems. A security vulnerability exists in MediaWiki versions prior to 1.42.6 and prior to 1.43.1, which stems...

MediaWiki 安全漏洞

MediaWiki is a suite of free and freely available web-based Wiki engines from the Wikimedia USA Foundation. It can be used to deploy in-house knowledge management and content management systems. A security vulnerability exists in MediaWiki versions prior to 1.39.12, prior to 1.42.6, and prior to...

[SECURITY] [DLA 4055-1] trafficserver security update

Debian LTS Advisory DLA-4055-1 [email protected] https://www.debian.org/lts/security/ Daniel Leidert February 16, 2025 https://wiki.debian.org/LTS Package : trafficserver Version : 8.1.11+ds-0+deb11u2 CVE ID : CVE-2024-38479 CVE-2024-50306 Debian Bug : 1087531 Multiple vulnerabilities...

Debian dla-4055 : trafficserver - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4055 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4055-1 [email protected]...

OESA-2024-2470 trafficserver security update

Apache Traffic Server is an OpenSource HTTP / HTTPS / HTTP/2 / QUIC reverse, forward and transparent proxy and cache. Security Fixes: Improper Input Validation vulnerability in Apache Traffic Server. This issue affects Apache Traffic Server: from 8.0.0 through 8.1.11, from 9.0.0 through 9.2.5...

CVE-2024-50306

Unchecked return value can allow Apache Traffic Server to retain privileges on startup. This issue affects Apache Traffic Server: from 9.2.0 through 9.2.5, from 10.0.0 through 10.0.1. Users are recommended to upgrade to version 9.2.6 or 10.0.2, which fixes the issue...