Lucene search
K

381 matches found

OSV
OSV
added 2026/04/14 6:30 p.m.5 views

GHSA-2XX8-J85V-J7WH Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References3
OSV
OSV
added 2026/04/14 6:30 p.m.7 views

GHSA-RM5F-3C25-P4CW Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References3
NVD
NVD
added 2026/04/14 4:16 p.m.6 views

CVE-2026-38532

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

8.1CVSS0.00351EPSS
Exploits2References2
NVD
NVD
added 2026/04/14 12:16 a.m.12 views

CVE-2026-27681

Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of th...

9.9CVSS0.00501EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.8 views

Fortinet多款产品 路径遍历漏洞

Fortinet FortiOS are products of the American company Fortinet. Fortinet FortiOS is a security operating system specifically designed for the FortiGate network security platform. Fortinet FortiManager is a centralized network security management platform. Fortinet FortiProxy is a secure network...

6.5CVSS6AI score0.00498EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.6 views

PT-2026-32685

A Broken Object-Level Authorization BOLA in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References5
Vulnrichment
Vulnrichment
added 2026/04/14 12:0 a.m.2 views

CVE-2026-38530

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References2
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.8 views

Webkul Krayin CRM 安全漏洞

Webkul Krayin CRM is a free and open-source CRM solution for small and medium-sized businesses from the Indian company Webkul. Version 2.2.x of Webkul Krayin CRM contains a security vulnerability. This vulnerability stems from an object-level authorization flaw in the...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References2
NVD
NVD
added 2026/04/08 6:25 p.m.2 views

CVE-2026-32589

A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to rea...

7.4CVSS0.00243EPSS
Exploits0References11
CVE
CVE
added 2026/04/08 5:4 p.m.12 views

CVE-2026-32589

CVE-2026-32589 concerns Red Hat Quay, where an authenticated user with push access to any repository can interfere with in-progress image uploads of other users due to an insecure direct object reference in the blobupload process. The issue enables reading, modification, or cancellation of anothe...

7.4CVSS5.9AI score0.00243EPSS
Exploits0References11Affected Software2
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.5 views

PT-2026-31341

Name of the Vulnerable Software and Affected Versions Red Hat Quay affected versions not specified Description A flaw exists in Red Hat Quay's container image upload process. An authenticated user with push access to any repository can interfere with image uploads in progress by other users, even...

7.4CVSS5.3AI score0.00243EPSS
Exploits0References21
Cvelist
Cvelist
added 2026/03/27 8:6 p.m.25 views

CVE-2026-34046 Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enable...

8.7CVSS0.00406EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/27 8:6 p.m.2 views

CVE-2026-34046 Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enable...

8.7CVSS5.9AI score0.00406EPSS
Exploits0References2
CVE
CVE
added 2026/03/27 8:6 p.m.16 views

CVE-2026-34046

Summary : CVE-2026-34046 affects Langflow prior to 1.5.1, where the _read_flow) path could bypass ownership checks when AUTO_LOGIN was false, allowing any authenticated user to read, modify, or delete flows owned by others, potentially exposing embedded plaintext API keys. Affected component : La...

8.8CVSS5.9AI score0.00406EPSS
Exploits0References2Affected Software2
OSV
OSV
added 2026/03/27 7:36 p.m.2 views

GHSA-8C4J-F57C-35CF Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

Vulnerability IDOR in GET/PATCH/DELETE /api/v1/flow/flowid The readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enabled, neither branch enforced an ownership chec...

8.7CVSS5.9AI score0.00406EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/27 7:36 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the readflow helper in src/backend/base/langflow/api/v1/flows.py. An attacker can read, modify, or delete another user's flow by supplying that flow's UUID to the GET, PATCH, or DELETE /api/v1/flow/flowid...

8.8CVSS5.9AI score0.00406EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/27 7:36 p.m.3 views

EUVD-2026-16850

Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check...

8.7CVSS5.8AI score0.00406EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.4 views

CVE-2026-33010

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.25.1, when the HTTP server is enabled MCPHTTPENABLED=true, the application configures FastAPI's CORSMiddleware with alloworigins='', allowcredentials=True, allowmethods="", and allowheaders="". The...

8.1CVSS5.7AI score0.00387EPSS
Exploits1References1
NVD
NVD
added 2026/03/19 10:16 p.m.3 views

CVE-2026-32752

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, the ThreadPolicy::edit method contains a broken access control vulnerability that allows any authenticated user regardless of role or mailbox access to read and modify all...

8.1CVSS0.00283EPSS
Exploits1References3
OSV
OSV
added 2026/03/19 10:16 p.m.7 views

CVE-2026-32018

OpenClaw versions prior to 2026.2.19 contain a race condition vulnerability in concurrent updateRegistry and removeRegistryEntry operations for sandbox containers and browsers. Attackers can exploit unsynchronized read-modify-write operations without locking to cause registry updates to lose data...

3.6CVSS5.9AI score
Exploits0References3
Rows per page
Query Builder