40 matches found
CVE-2026-33357 Meari OpenAPI device status IDOR
In Meari client applications embedding "com.meari.sdk" including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label = 1.8.x, the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side...
CVE-2026-33357 Meari OpenAPI device status IDOR
In Meari client applications embedding "com.meari.sdk" including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label = 1.8.x, the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN IP data for arbitrary devices. The root cause is a server-side...
CVE-2026-33357
CVE-2026-33357 affects Meari client applications that embed com.meari.sdk, including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label
Meari com.meari.sdk 安全漏洞
Meari com.meari.sdk is a development toolkit for IoT communication and device management software, developed by Meari Corporation in China. There is a security vulnerability in Meari com.meari.sdk, which stems from failed server-side authorization. This vulnerability could allow unauthorized...
CVE-2026-33477
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint /api/file/snippet.php allows an authenticated user with only readown access to a folder to retrieve snippet content from files upload...
CVE-2026-25045
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR Insecure Direct Object Reference due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who...
CVE-2026-23496
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an...
Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing
Summary The API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions e.g., name, key, type, default value used across documents, assets, and objects to standardize custom...
CVE-2026-23496 Pimcore Web2Print Tools Bundle "Favourite Output Channel Configuration" Missing Function Level Authorization
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an...
EUVD-2026-2726
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an...
CVE-2026-23496
Pimcore Web2Print Tools Bundle adds tools for web-to-print use cases to Pimcore. Prior to 5.2.2 and 6.1.1, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for managing "Favourite Output Channel Configurations." Testing revealed that an...
CVE-2026-23494 Pimcore is Missing Function Level Authorization on "Static Routes" Listing
Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...
Pimcore security vulnerabilities
Pimcore is an open-source web content management platform developed by the Austrian company Pimcore. This platform integrates applications such as web content management, e-commerce frameworks, and product information management. Versions of Pimcore prior to 12.3.1 and 11.5.14 contained security...
EUVD-2025-203373
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Authenticated users can update their entire user document beyond profile fields, including orgs/teams and loginDisabled, due to missing server-side authorization checks; this enables privileg...
CVE-2025-66581
Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints...
CVE-2025-66581
Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints...
CVE-2025-66581 Frappe LMS is Missing Server-Side Authorization in Business Logic
Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints...
CVE-2025-66581 Frappe LMS is Missing Server-Side Authorization in Business Logic
Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints...
CVE-2025-66581
Frappe LMS (versions before 2.41.0) has a server-side authorization flaw where endpoints relied on client-side checks, allowing authenticated low-privilege users (e.g., students) to perform actions outside their roles via the API. The issue is fixed in 2.41.0. Affected component: server-side perm...
CVE-2025-66581 Frappe LMS is Missing Server-Side Authorization in Business Logic
Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints...