CVE-2026-50881

Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes...

CVE-2026-53808 OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before...

CVE-2026-47169 Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled joining accounts

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the select...

Improper Access Control

Traefik is vulnerable to Improper Access Control. The vulnerability is due to insufficient validation of TraefikService backend references ending with @internal, which allows an attacker with HTTPRoute creation permissions to access the internal REST provider and perform unauthorized configuratio...

GHSA-96QJ-4JJ5-WCJC Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false

Summary There is a medium severity vulnerability in Traefik's Kubernetes Gateway API provider that allows a tenant with HTTPRoute creation permissions to expose the REST provider handler, bypassing the providers.rest.insecure=false setting. The Gateway provider accepts any TraefikService backend...

EUVD-2026-28547

Weak credentials in the CashDro 3 web administration panel, version 24.01.00.26, where the platform allows the use of numeric PINs for user authentication. The system supports the use of PIN-based credentials, maintaining compatibility with POS software integrations deployed since 2012. This coul...

CVE-2026-7824

An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" diagnostic mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the PaperCut Hive management...

CVE-2026-7824 PaperCut Hive (Ricoh): Plain text password in logs

An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" diagnostic mode is enabled, the application inadvertently records administrative credentials in plain text within the log files. An attacker with administrative access to the PaperCut Hive management...

Flaw in the updateUser Command May Allow Unauthorized Configuration Change

An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect how authentication is performed for the impacted account...

CVE-2026-27841

A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery CSRF protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious extern...

CVE-2026-27841 SenseLive X3050 Cross-Site request forgery

A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery CSRF protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious extern...

EUVD-2026-25352

A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery CSRF protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious extern...

SenseLive X3050 跨站请求伪造漏洞

The SenseLive X3050 is a data collection and environmental monitoring device designed for IoT scenarios by SenseLive Corporation. The SenseLive X3050 has a cross-site request forgeing vulnerability. This vulnerability arises from the lack of protection against cross-site request forgeing in the w...

PT-2026-34801

A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery CSRF protections. Because the application does not enforce server-side validation of request origin or implement CSRF tokens, a malicious extern...

CVE-2026-27843

A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values to recovery mechanisms and network settings, an attacker can...

Silex SD-330AC和Silex AMC Manager 安全漏洞

Silex SD-330AC and Silex AMC Manager are both products of the Japanese company Silex. Silex SD-330AC is a device server that provides wireless network connectivity and the ability to share with USB devices. Silex AMC Manager is a management software used for centralized management of device serve...

CVE-2021-47961

A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combin...

CVE-2021-47961

The CVE describes a plaintext password storage vulnerability in Synology SSL VPN Client prior to version 1.4.5-0684 . The insecure storage can allow remote attackers to access or influence the user’s PIN, potentially enabling unauthorized VPN configuration and interception of subsequent VPN traff...

CVE-2021-47961

A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combin...

CVE-2026-32678

The CVE-2026-32678 entry describes an authentication bypass vulnerability in BUFFALO Wi‑Fi router products. The issue would allow an attacker to alter critical configuration settings without authentication, compromising device configuration integrity and potentially impacting network management. ...