CVE-2026-10622

Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/ endpoints...

CVE-2026-10622 CVE-2026-10622

Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/ endpoints...

CVE-2026-10622

CVE-2026-10622 concerns the Collibra Agent and exposes remote unauthenticated access via exposed REST endpoints (/rest/*). The issue stems from improper authentication/authorization for privileged functionality, enabling remote attackers to interact with sensitive functionality. CVSS v3.1 vector:...

Incorrect Authorization

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Incorrect Authorization via the OAuthTokenStrategy in the authentication component. An attacker can access endpoints reserved for other token types or privileged users by presenting an OAuth token to routes that accep...

Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export

Summary Ech0 scoped access tokens do not reliably enforce least privilege: multiple privileged admin routes omit scope checks, and the backup export handler strips token scope metadata entirely, allowing a low-scope admin access token to reach broader admin functionality than intended. Impact An...

GHSA-4H9Q-P5J4-XVVH Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export

Summary Ech0 scoped access tokens do not reliably enforce least privilege: multiple privileged admin routes omit scope checks, and the backup export handler strips token scope metadata entirely, allowing a low-scope admin access token to reach broader admin functionality than intended. Impact An...

CVE-2026-30824

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the NVIDIA NIM router /api/v1/nvidia-nim/ is whitelisted in the global authentication middleware, allowing unauthenticated access to privileged container management and token generati...

Flowise 访问控制错误漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise 3.0.13 contained an access control vulnerability. This vulnerability stemmed from the inclusion of NVIDIA NIM routers in the global authentication middleware whitelist,...

CVE-2025-11699

CVE-2025-11699 affects nopCommerce: versions 4.70 and earlier, and 4.80.3, fail to invalidate session cookies after logout, enabling a valid session cookie to access privileged endpoints (e.g., /admin) post-logout and risk session hijacking. The data indicates that any version above 4.70 that is ...

EUVD-2022-46752

Malicious code in bioql PyPI...

CVE-2022-43782

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the usermanagement path. This vulnerability can only be exploited by IPs specified under the...

Umbraco 跨站脚本漏洞

Umbraco is an open source content management system CMS written in C from Umbraco, Denmark. A cross-site scripting vulnerability exists in Umbraco version 14.0.0 and earlier, which stems from susceptibility to cross-site scripting attacks that could be exploited to access higher privileged...

CVE-2023-36651

Hidden and hard-coded credentials in ProLion CryptoSpike 3.0.15P2 allow remote attackers to login to web management as super-admin and consume the most privileged REST API endpoints via these credentials...

PT-2022-28106 · Unknown · Usememos/Memos

Name of the Vulnerable Software and Affected Versions: usememos/memos versions prior to 0.9.1 Description: The issue concerns the incorrect use of privileged APIs in the usememos/memos GitHub repository. A user can archive any private memos, delete any shortcut, and edit any shortcut from other...

Atlassian Crowd 3.x / 4.x < 4.4.4 / 5.x < 5.0.3 Security Bypass (CWD-5888)

The version of Atlassian Crowd installed on the remote host is 3.x, 4.x prior to 4.4.4, or 5.x prior to 5.0.3. It is, therefore, affected by a security bypass vulnerability due to security misconfiguration. An unauthenticated, remote attacker can exploit this by authenticating as the crowd...

CVE-2022-43782

Affected versions of Atlassian Crowd allow an attacker to authenticate as the crowd application via security misconfiguration and subsequent ability to call privileged endpoints in Crowd's REST API under the usermanagement path. This vulnerability can only be exploited by IPs specified under the...

Authorization

IBM StoredIQ 7.6.0 does not implement proper authorization of user roles due to which it was possible for a low privileged user to access the application endpoints of high privileged users and also perform some state changing actions restricted to a high privileged user. IBM X-Force ID: 153119...