Lucene search
K

20 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.10 views

CVE-2026-41133

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

8.8CVSS7.4AI score0.00325EPSS
Exploits1References1
CVE
CVE
added 2026/05/27 5:5 p.m.15 views

CVE-2026-46424

Budibase vulnerability CVE-2026-46424 affects versions before 3.38.2. The public API endpoint POST /api/public/v1/roles/unassign updates CouchDB user documents but does not invalidate the Redis cache entries used by authentication middleware, so revoked admin/builder/app roles may persist up to 1...

4.2CVSS5.7AI score0.00163EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/19 4:30 p.m.18 views

Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour

Summary The public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache TTL: 3600 seconds...

4.2CVSS5.8AI score0.00163EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/19 4:30 p.m.6 views

GHSA-6VP2-6R7M-2JVX Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour

Summary The public API role unassignment endpoint POST /api/public/v1/roles/unassign updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache TTL: 3600 seconds...

4.2CVSS5.8AI score0.00163EPSS
Exploits0References4
NVD
NVD
added 2026/05/18 8:16 a.m.11 views

CVE-2026-3637

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

4.3CVSS0.00152EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.14 views

PT-2026-41642

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Mattermost versions 11.4.0 through 11.4.3 Description An issue exists where the software fails to verify the create post channel permission during post edit...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References9
NVD
NVD
added 2026/04/22 12:16 a.m.7 views

CVE-2026-41133

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

8.8CVSS0.00325EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/21 11:41 p.m.5 views

CVE-2026-41133

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

8.8CVSS5.7AI score0.00325EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/04/21 11:41 p.m.6 views

EUVD-2026-24574

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

8.8CVSS5.7AI score0.00325EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.11 views

PT-2026-34223

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev98 Description An issue exists where role and permission are cached in the session during login. The system continues to authorize requests using these cached values even after an administrator modifies the...

8.8CVSS7.8AI score0.00325EPSS
Exploits1References5
CNNVD
CNNVD
added 2026/01/28 12:0 a.m.8 views

Juju security vulnerabilities

Juju is a publicly available application orchestration engine developed by Canonical Juju. There is a security vulnerability in Juju, which stems from a flaw in cross-model authorization. This vulnerability could allow malicious users to maintain privileges that have been revoked or expired...

2.1CVSS5.8AI score0.00133EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/01/21 9:31 a.m.11 views

Keycloak services allows the issuance of access and refresh tokens for disabled users

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...

6.5CVSS5.4AI score0.00443EPSS
Exploits0References10Affected Software1
OSV
OSV
added 2026/01/21 7:16 a.m.5 views

UBUNTU-CVE-2025-14559

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...

6.5CVSS5.7AI score0.00443EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.7 views

PT-2026-3753

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the keycloak-services component of Keycloak. This issue allows the issuance of access and refresh tokens for disabled users, potentially leading to unauthorized use of...

8.5CVSS5.4AI score0.00443EPSS
Exploits0References19
Positive Technologies
Positive Technologies
added 2023/12/23 12:0 a.m.6 views

PT-2023-8568 · Sudo +2 · Sudo +2

Name of the Vulnerable Software and Affected Versions: sudo affected versions not specified Description: A flaw was found in sudo in the handling of ipa hostname, where ipa hostname from /etc/sssd/sssd.conf was not propagated in sudo. This leads to a privilege mismanagement issue in applications,...

9CVSS5.9AI score0.00953EPSS
Exploits0References39
SUSE CVE
SUSE CVE
added 2023/02/15 3:39 a.m.6 views

SUSE CVE-2021-36775

a Improper Access Control vulnerability in SUSE Rancher allows users to keep privileges that should have been revoked. This issue affects: SUSE Rancher Rancher versions prior to 2.4.18; Rancher versions prior to 2.5.12; Rancher versions prior to 2.6.3...

8.8CVSS8.5AI score0.00932EPSS
Exploits0References4
Prion
Prion
added 2022/05/19 6:15 p.m.23 views

Design/Logic Flaw

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users from:users-permissions. There are many scenarios in whic...

6CVSS7.4AI score0.00922EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2022/04/04 12:0 a.m.6 views

Rancher Labs Rancher 安全漏洞

Rancher Labs Rancher is an open source, enterprise-class container management platform from Rancher Labs, U.S. Rancher Labs Rancher is vulnerable to an access control error that could be exploited by an attacker to retain privileges that should have been revoked...

8.8CVSS5.6AI score0.00932EPSS
Exploits0References3
Veracode
Veracode
added 2019/05/02 4:43 a.m.28 views

Arbitrary Code Execution

Keystone is a Python implementation of the OpenStack http://www.openstack.org identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a...

7.5CVSS6AI score0.03965EPSS
Exploits0References16Affected Software1
CNVD
CNVD
added 2017/10/27 12:0 a.m.39 views

Keycloak Resource Privilege Extension Vulnerability

Keycloak oauth is an OAuth-based authentication and authorization system that improves the security of secure system development. A resource privilege extension vulnerability exists in Keycloak oauth. An attacker can exploit this vulnerability to continue to enjoy privileges that have been revoke...

7.2CVSS7.2AI score0.01887EPSS
Exploits0References1
Rows per page
Query Builder