287 matches found
CVE-2026-46645
SQLAdmin is a flexible Admin interface for SQLAlchemy models. Prior to version 0.25.1, the ajaxlookup endpoint in application.py bypasses the isaccessible access control check that all other endpoints enforce. If a developer restricts model access by overriding isaccessible, an authenticated user...
CVE-2026-27683
SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...
CVE-2026-10864
A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause th...
EUVD-2026-34266
A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause th...
CVE-2026-10864
A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause th...
CVE-2026-10864 MISP Dashboard widget field selection may expose restricted user and organisation data
A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause th...
CVE-2026-41032
It is possible for an unauthenticated adjacent attacker to download log files of the controller, which may disclose some restricted information...
CVE-2026-41032
The CVE-2026-41032 entry concerns Phoenix Contact CHARX SEC-3xxx charging controller firmware. Affected component: firmware on CHARX SEC-3xxx charging controllers. Vulnerability: an unauthenticated adjacent attacker can download log files from the controller, potentially exposing restricted infor...
PT-2026-45261
An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: 7.0.X 8.0.X 2023.X...
EUVD-2024-55593
Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vecto...
Missing Authorization
Overview sqladmin is a SQLAlchemy admin for FastAPI and Starlette Affected versions of this package are vulnerable to Missing Authorization in the ajaxlookup endpoint due to missing enforcement of access control checks. An attacker can access restricted model data by sending requests to the...
CVE-2026-20238
The CVE affects Splunk AI Toolkit prior to 5.7.3. A low-privilege user (not admin/power) can access data restricted by srchFilter settings in authorize.conf. The toolkit stores a srchFilter entry that alters the built-in user role; Splunk’s inheritance with OR in search filters allows the injecte...
Astra Linux - уязвимость в 389-ds-base
A access control bypass vulnerability was discovered in version 389-ds-base. This issue stems from improper handling of the filter, which results in incorrect results. However, further analysis revealed that it actually constitutes an access control bypass. This vulnerability could allow any...
Splunk AI Toolkit 安全漏洞
The Splunk AI Toolkit is a machine learning and artificial intelligence analysis toolkit developed by Splunk for their own platform. Versions of the Splunk AI Toolkit prior to 5.7.3 contained security vulnerabilities. These vulnerabilities stemmed from modifications to the srchFilter entry in the...
CVE-2026-40132 Missing Authorization Check in SAP Strategic Enterprise Management (BSP application Balanced Scorecard Wizard)
Due to missing authorization check in SAP Strategic Enterprise Management Scorecard Wizard in Business Server Pages, an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and...
CVE-2026-42884 Audiobookshelf: Collection endpoints bypass library access controls exposing restricted library data
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to each collection's library. An authenticated user with...
CVE-2026-42884 Audiobookshelf: Collection endpoints bypass library access controls exposing restricted library data
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to each collection's library. An authenticated user with...
PT-2026-36818
Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 Description Missing authorization allows authenticated users to perform actions they are not intended to have access to, potentially leading to unauthorized access to sensitive...
CVE-2026-41350
OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the sessionstatus function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke sessionstatus without sandbox constraints to bypass session-policy...
CVE-2026-39687
Missing Authorization vulnerability in Rapid Car Check Rapid Car Check Vehicle Data free-vehicle-data-uk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rapid Car Check Vehicle Data: from n/a through = 2.0...