Lucene search
K

3013 matches found

OSV
OSV
added 6 days ago7 views

CVE-2026-55433 Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, perform...

5.4CVSS6AI score0.00394EPSS
Exploits0References8
Cvelist
Cvelist
added 6 days ago38 views

CVE-2026-55433 Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, perform...

5.4CVSS0.00394EPSS
Exploits0References6
NVD
NVD
added last week8 views

CVE-2026-59709

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS0.002EPSS
Exploits0References4
EUVD
EUVD
added last week5 views

EUVD-2026-42046

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added last week4 views

CVE-2026-59709 Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added last week8 views

CVE-2026-59709

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References5
CVE
CVE
added last week10 views

CVE-2026-59709

Ghostfolio CVE-2026-59709 affects the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint. The root cause is a missing verification of Access.permissions when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with va...

5.3CVSS6AI score0.002EPSS
Exploits0References4
Cvelist
Cvelist
added last week35 views

CVE-2026-59709 Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS0.002EPSS
Exploits0References4
OSV
OSV
added last week3 views

CVE-2026-59709 Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References6
OSV
OSV
added last week5 views

PYSEC-2026-1494 Kinto Attachment's attachments can be replaced on read-only records

Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...

8.6CVSS5.9AI score0.00702EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.7 views

PT-2026-56198

Name of the Vulnerable Software and Affected Versions Ghostfolio affected versions not specified Description An issue exists where the 'PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags' endpoint fails to verify the Access.permissions field when processing the Impersonation-Id header. This...

5.3CVSS6.1AI score0.002EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/07/06 9:9 p.m.6 views

Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

Summary The devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild. Note: Exploitation requires an existing low-privilege role with...

5.4CVSS6AI score0.00394EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/07/06 9:9 p.m.3 views

GHSA-JQJ2-X4C5-JFXM Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

Summary The devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild. Note: Exploitation requires an existing low-privilege role with...

5.4CVSS6AI score0.00394EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 2026/07/06 3:7 p.m.7 views

nodejs: Node.js: Unauthorized file metadata modification

A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system...

3.3CVSS6.2AI score0.00154EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/06 2:47 p.m.5 views

nodejs: Node.js: Unauthorized file metadata modification

A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system...

3.3CVSS6.2AI score0.00154EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/06 5:32 a.m.5 views

nodejs: Node.js: Unauthorized file metadata modification

A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system...

3.3CVSS5.9AI score0.00154EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/06 4:52 a.m.7 views

nodejs: Node.js: Unauthorized file metadata modification

A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system...

3.3CVSS6.2AI score0.00154EPSS
Exploits0References5
NVD
NVD
added 2026/07/03 9:16 p.m.8 views

CVE-2026-26231

Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write...

8.5CVSS0.00291EPSS
Exploits0References5
OSV
OSV
added 2026/07/01 9:56 p.m.3 views

GHSA-3WHC-QVHV-XQJP goshs: WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags

WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags Ecosystem: Go Package: goshs.de/goshs/v2 github.com/patrickhener/goshs Affected: /tmp/r/x.txt goshs -p 18000 -wp 18001 -w -ro -d /tmp/r -b admin:pw & curl -u admin:pw -X PUT http://localhost:18000/y.txt --data x 403 HT...

8.1CVSS5.8AI score
Exploits0References2
Cvelist
Cvelist
added 2026/06/30 9:6 p.m.37 views

CVE-2026-58448 yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS0.00235EPSS
Exploits0References3
Rows per page
Query Builder