Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment

Impact A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. Patches Patched in...

CVE-2026-48493

Snipe-IT (IT asset/license management) is affected by CVE-2026-48493 through a privilege-escalation flaw in versions prior to 8.6.0. A user with only users.edit can PATCH /api/v1/users/{their_own_id} to grant themselves any permission except admin/superuser (e.g., assets.view, assets.create, repo...

PT-2026-39406

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

CVE-2026-40349 Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending isAdmin=true to PUT /settings/users/userId for their own user ID. The endpoint is intended to let a user ed...

CVE-2026-40349

CVE-2026-40349 affects Movary (self-hosted web app). Before version 0.71.1, an ordinary authenticated user can self-escalate to administrator by submitting isAdmin=true to PUT /settings/users/{userId} for their own user ID. The endpoint is intended for editing a user’s profile but fails to enforc...

DEBIAN-CVE-2024-41942

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that...