Lucene search
K

140 matches found

Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.26 views

PT-2026-47684

Name of the Vulnerable Software and Affected Versions 6Storage Rentals versions prior to 2.22.1 Description An authorization bypass exists in the 6Storage Rentals plugin for WordPress. Unauthenticated attackers can read and modify arbitrary tenant profile data, including names, email addresses,...

7.5CVSS5.3AI score0.00403EPSS
Exploits0References15
OSV
OSV
added 2026/06/08 11:35 p.m.11 views

GHSA-QM33-P5P9-F8VG nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries up to limit=1000. This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entrie...

7.1CVSS5.5AI score0.00043EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.11 views

PT-2026-47578

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries up to limit=1000. This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entrie...

7.1CVSS5.5AI score
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.12 views

PT-2026-47623

Name of the Vulnerable Software and Affected Versions nebula-mesh versions prior to 0.3.1 Description The handleGetAuditLog function in internal/api/audit.go fails to perform an administrative privilege check. While the endpoint is protected by bearer authentication, any valid operator API key...

7.1CVSS5.9AI score0.00043EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/06 12:31 a.m.10 views

EUVD-2026-34918

A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to...

9.4CVSS6.4AI score0.01145EPSS
Exploits0References2
NVD
NVD
added 2026/06/05 10:16 p.m.10 views

CVE-2026-11429

Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file uploads where a user-supplied filename component is used to construct the destination path without validation, allowing arbitrary files to be written to any location writable by th...

10CVSS0.01145EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/05 9:1 p.m.10 views

CVE-2026-11429

A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to...

9.4CVSS6.4AI score0.01145EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.8 views

CVE-2026-6411

This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted,...

7.3CVSS5.4AI score0.00159EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.16 views

PT-2026-47057

Name of the Vulnerable Software and Affected Versions Altium Enterprise Server versions prior to 8.1.1 Altium 365 affected versions not specified Description A path traversal issue exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service processes...

10CVSS6.4AI score0.01145EPSS
Exploits0References7
OSV
OSV
added 2026/06/04 6:39 p.m.11 views

GHSA-WC3V-3457-C8CM OpenMeter: SQL injection through meter creation

Summary An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application's JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no...

5.3CVSS6.1AI score0.00036EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/04 12:0 a.m.16 views

PT-2026-46897

Name of the Vulnerable Software and Affected Versions OpenMeter affected versions not specified Description An authenticated tenant can perform SQL injection through the valueProperty or groupBy fields of the 'POST /api/v1/meters' endpoint. The issue occurs because the application uses string...

5.3CVSS6.1AI score0.00036EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/06/01 4:3 p.m.14 views

CVE-2026-9831

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/30 12:30 a.m.14 views

EUVD-2026-33445

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References2
NVD
NVD
added 2026/05/29 10:16 p.m.23 views

CVE-2026-9831

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS0.00172EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 9:19 p.m.55 views

CVE-2026-9831

The CVE-2026-9831 entry describes a race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path. Under high-concurrency traffic, requests authenticated with an Extreme Platform ONE /IAM API key could intermittently return data for a different tenant, indicating cross...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/29 9:19 p.m.13 views

CVE-2026-9831

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/29 9:19 p.m.13 views

CVE-2026-9831 ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS5.8AI score0.00172EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 9:19 p.m.39 views

CVE-2026-9831 ExtremeCloud IQ Cross Tenant Data Exposure via Extreme Platform One Authentication Race Condition

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS0.00172EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 4:51 p.m.25 views

CVE-2026-45296

OpenReplay before 1.26.0 exposes cross-tenant risks via the Python API app_apikey routes that trust a caller-provided projectKey after validating only the API key and existence of the projectKey. The authorization flow fails to bind the authenticated API key to the correct tenant, enabling an att...

7.7CVSS5.8AI score0.00231EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/21 12:47 a.m.9 views

CVE-2026-9152 Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction

A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's...

10CVSS5.8AI score0.00339EPSS
Exploits0References1
Rows per page
Query Builder