GHSA-22VX-2X23-98W6 OpenSearch vulnerable to improper authorization for Rollover Requests

Description A flaw was identified in the OpenSearch Security plugin's handling of index rollover requests. When a rollover request included an explicit target index name, the security plugin did not properly evaluate access control permissions against the target index. This could allow a user wit...

CVE-2026-4292

A flaw was found in Django. Admin changelist forms utilizing ModelAdmin.listeditable were susceptible to improper access control. A remote attacker could exploit this by sending forged POST data, leading to the unauthorized creation of new instances within the application. Mitigation Mitigation f...

WordPress Social Icons Widget & Block plugin <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Sharing Configuration Creation vulnerability discovered by darkmode in WordPress Plugin Social Icons Widget & Block by WPZOOM versions = 4.5.8...

Zabbix 6.0.x < 6.0.41 / 7.0.x < 7.0.18 / 7.4.x < 7.4.2 Unauthorized Object Creation (ZBX-27567)

The version of Zabbix installed on the remote host is affected by an authorization bypass vulnerability. An authenticated low-privilege user User role possessing template and host write permissions can exploit the configuration.import API to create unauthorized objects, despite the User role...

PT-2026-6202

Name of the Vulnerable Software and Affected Versions Open eClass versions prior to 4.2 Description The Open eClass platform, previously known as GUnet eClass, is a course management system. A broken access control issue permits authenticated students to create new course units, a function...

CVE-2025-13753 WP Table Builder <= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation

The WP Table Builder – Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the savetable function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with...

EUVD-2025-35355

The Meta Tag Manager WordPress plugin before 3.3 does not restrict which roles can create http-equiv refresh meta tags...

BIT-MOODLE-2024-33996 moodle: broken access control when setting calendar event type

Incorrect validation of allowed event types in a calendar web service made it possible for some users to create events with types/audiences they did not have permission to publish to...

Lunary 授权问题漏洞

lunary is lunary open source a production toolkit for LLM . An authorization issue vulnerability exists in lunary that stems from the checklists.post endpoint not being properly privilege-validated and can be exploited by an attacker to cause unauthorized creation or modification of checklists...

PT-2025-9240

Name of the Vulnerable Software and Affected Versions Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR version 1.0.118 Description The issue is related to incorrect access control in the component "/rest/staffResource/update" of the affected software, allowing unauthorize...

CVE-2021-3987 Improper Access Control in janeczku/calibre-web

An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the createshelf method in shelf.py not verifying if the user has the necessary permissions to create a...

CVE-2024-46837 drm/panthor: Restrict high priorities on group_create

In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Restrict high priorities on groupcreate We were allowing any users to create a high priority group without any permission checks. As a result, this was allowing possible denial of service. We now only allow the DRM...

CVE-2024-25633

eLabFTW is an open source electronic lab notebook for research labs. In an eLabFTW system, one can configure who is allowed to create new user accounts. A vulnerability has been found starting in version 4.4.0 and prior to version 5.0.0 that allows regular users to create new, validated accounts ...

CVE-2024-5459

The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'addsection', 'addmenu', 'addmenuitem', and 'addmenupage' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated...

CVE-2024-4287 Improper Input Validation in mintplex-labs/anything-llm

In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to /api/workspace/:workspace-slug/update, allowing it to be executed as part of ...

CVE-2024-0404

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...

CVE-2024-0404

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...

CVE-2024-0404

CVE-2024-0404 describes a mass-assignment vulnerability in the mintplex-labs/anything-llm repository, specifically the "/api/invite/:code" endpoint. The issue allows an attacker to inject a privileged role (admin) during account creation via an invitation link by exploiting missing property allow...

CVE-2024-0404 Mass Assignment Vulnerability in mintplex-labs/anything-llm

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...

CVE-2024-0404 Mass Assignment Vulnerability in mintplex-labs/anything-llm

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...