22 matches found
CVE-2026-48008 Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync; the regular integration endpoint POST...
CVE-2026-48008 Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync; the regular integration endpoint POST...
CVE-2026-48008
Shopware vulnerability CVE-2026-48008 describes privilege escalation via the Sync API. A non-admin API user with integration:create can set admin: true when creating an integration through POST /api/_action/sync, bypassing the normal admin-check that blocks admin flag on POST /api/integration. Th...
CVE-2026-63097 Dendrite 0.13.8 syncapi /context Endpoint Post-Leave State Exposure
Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint syncapi/routing/context.go that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while...
Missing Authorization
Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Missing Authorization via the Sync API process. An attacker can gain unauthorized administrative privileges by creating an integration with elevated permissions through direct API calls,...
GHSA-GV8P-48FR-4FXG Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses the...
PT-2026-46884
Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.6.10.18 Shopware versions prior to 6.7.10.1 Description A non-admin API user with integration:create ACL privilege can escalate their privileges to full administrator. This is possible by creating an integration wi...
CVE-2026-30796
CVE-2026-30796 affects RustDesk Server Pro (rustdesk-server-pro) on Windows, macOS, and Linux. The vulnerability lies in cleartext transmission within the Address Book Sync/Heartbeat API path, where the Heartbeat API handler accepts a preset address-book password in plaintext. Consequence: potent...
CVE-2026-27638
Actual is a local-first personal finance tool. Prior to version 26.2.1, in multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budge...
SUSE CVE-2025-38040
In the Linux kernel, the following vulnerability has been resolved: serial: mctrlgpio: split disablems into sync and nosync APIs The following splat has been observed on a SAMA5D27 platform using atmelserial: BUG: sleeping function called from invalid context at kernel/irq/manage.c:738 inatomic: ...
CVE-2025-38040
CVE-2025-38040 affects the Linux kernel’s serial/mctrl_gpio path. The advisory reports a fix for a denial of service/privilege implications by splitting the disabling of modem lines (disable_ms) into two APIs: sync and no_sync, addressing a sleeping function being called from an atomic context (d...
Hidden Backdoors in npm Packages Let Attackers Wipe Entire Systems
Malicious npm packages found with hidden endpoints that wipe systems on command. Devs warned to check dependencies for express-api-sync, system-health-sync-api...
Malicious code in system-health-sync-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 13c337e149bd36fcd54891e550bf7fdb7c1dc36b1bfc1b06e0b1427851d4adde Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-4695 Malicious code in system-health-sync-api (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 13c337e149bd36fcd54891e550bf7fdb7c1dc36b1bfc1b06e0b1427851d4adde Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-1256 Malicious code in pnpm-sync-api-tests (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7ff8a3208b0a7303df5e44ee0ec9bcc028b58bffe1fdabfbea89ab56a78cf841 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2014-3176
Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177...
Code injection
Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177...
CVE-2014-3177
Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3176...
CVE-2014-3176
Google Chrome before 37.0.2062.94 does not properly handle the interaction of extensions, IPC, the sync API, and Google V8, which allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-3177...
CVE-2014-3176
Removed by vendor...