CVE-2026-25161

CVE-2026-25161 affects Alist up to version 3.56.x, with a path traversal flaw in multiple file operation handlers. By injecting traversal sequences into filename components, an authenticated user can bypass directory-level authorisation and perform unauthorised removal, movement, or copying of fi...

CVE-2026-25161 Alist vulnerable to Path Traversal in multiple file operation handlers

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal...

EUVD-2026-5366

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal...

EUVD-2023-43666

Malicious code in bioql PyPI...

UBUNTU-CVE-2025-53112

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.1...

CVE-2025-53112 GLPI's incomprehensive permission checks can lead to data removal from allowed users

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.1...

PT-2025-31388 · Glpi +1 · Glpi +1

Name of the Vulnerable Software and Affected Versions: GLPI versions 9.1.0 through 10.0.18 Description: GLPI is an Asset and IT Management Software package providing ITIL Service Desk features, licenses tracking, and software auditing. A lack of permission checks in affected versions can result i...

CVE-2025-27538

Summary: CVE-2025-27538 affects Mattermost Server versions 10.5.x (≤ 10.5.1) and 9.11.x (≤ 9.11.9). The issue is that MFA checks are not enforced in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user, enabling users with the edit_other_users permission to activate...

CVE-2023-23715 WordPress JobBoardWP – Job Board Listings and Submissions plugin <= 1.2.2 - IDOR Leading To Job Removal Vulnerability

Missing Authorization vulnerability in JobBoardWP JobBoardWP – Job Board Listings and Submissions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobBoardWP – Job Board Listings and Submissions: from n/a through 1.2.2...

WordPress Plugin WP Hotel Booking Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

CVE-2023-39973

Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns...

CVE-2023-39973

Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns...

CVE-2023-39973 Extension - acymailing.com - Improper Access Control in AcyMailing Enterprise component for Joomla 6.7.0-8.6.3

Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns...

AcyMailing Joomla Component 安全漏洞

AcyMailing Joomla Component is an email marketing component used in the Joomla content management system. A security vulnerability exists in AcyMailing Joomla Component that stems from the presence of incorrect access control that allows unauthorized removal of attachments from campaigns...

CVE-2023-1071

An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic...

Design/Logic Flaw

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions...

CVE-2021-36400

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions...

CVE-2023-22737 wire-server vulnerable to unauthorized removal of Bots from Conversations

wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular...

NFTFloorOracle price feeders can be removed by anyone

Lines of code Vulnerability details Impact The nfts price feeders in the NFTFloorOracle contract should be added or removed only by the admin but because the removeFeeder function is missing the onlyRoleDEFAULTADMINROLE modifier any user can remove a feeder, this could impact the whole protocol i...

CVE-2022-35412

Digital Guardian Agent 7.7.4.0042 contains an information-disclosure risk: an administrator (who normally cannot uninstall the product) can disable certain agent features and exfiltrate files to an external USB device. This CVE (CVE-2022-35412) is a local-attack scenario with Privileges Required:...