767 matches found
CVE-2026-28448
OpenClaw OpenClaw (Twitch plugin) versions 2026.1.29 through 2026.2.0 are affected. The vulnerability resides in the Twitch plugin’s access-control logic (checkTwitchAccessControl in extensions/twitch/src/access-control.ts): when allowFrom is configured and allowedRoles is unset or empty, the cod...
GHSA-QJ22-XQJR-V83V OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection
A missing sender-authorization check in Telegram messagereaction handling allowed unauthorized users to trigger reaction-derived system events. Affected Packages / Versions - Package: openclaw npm - Introduced: 2026.2.17 - Affected: = 2026.2.17 and = 2026.2.24 - Latest published at patch time:...
CVE-2025-14103 Missing Authorization in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions...
GitLab CE/EE 安全漏洞
GitLab Enterprise Edition EE and GitLab Community Edition CE are both products of the American company GitLab. GitLab Enterprise Edition is a content management system. GitLab Community Edition is a community version of GitLab. Versions of GitLab CE/EE prior to 18.7.5, 18.8.5, and 18.9.1 containe...
CVE-2026-26977
Frappe Learning Management System (LMS)
GHSA-GWMX-9GCJ-332H Statamic CMS's missing authorization allows access to assets
Impact Users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take advantage of this. Patches This has been fixed in 5.73.6 and 6.2.5...
Microcom ZeusWeb 安全漏洞
Microcom ZeusWeb is a remote monitoring platform developed by the Spanish company Microcom. Version 6.1.31 of Microcom ZeusWeb contains a security vulnerability. This vulnerability stems from the exposure of sensitive system information to unauthorized participants, which may lead to fingerprint...
PT-2026-7664
Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.6 Statamic versions prior to 6.2.5 Description Statamic is a Laravel and Git powered CMS designed for building websites. Users without the necessary permissions to view assets are able to download them and view...
Hrsale 跨站请求伪造漏洞
Hrsale is a human resources management system written in PHP, developed by the Hrsale team. Version 1.1.8 of Hrsale contains a cross-site request forgeing vulnerability. This vulnerability stems from the existence of cross-site request forgery, which may lead to the addition of unauthorized...
CVE-2025-67856
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to...
PT-2026-6433
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to...
CLEANSTART-2026-KA40024 PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access
Multiple security vulnerabilities affect the postgresql package. PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. See references for individual vulnerability details...
IX-Ray Engine security vulnerabilities
IX-Ray Engine is a modern game engine open-source by the IX-Ray Team. Versions of IX-Ray Engine prior to 1.3 contained security vulnerabilities, which were caused by exposing sensitive information to unauthorized participants...
CVE-2022-23240
Active IQ Unified Manager for VMware vSphere, Linux, and Microsoft Windows versions prior to 9.11P1 are susceptible to a vulnerability which allows unauthorized users to update EMS Subscriptions via unspecified vectors...
CVE-2019-18367
In JetBrains TeamCity before 2019.1.2, a non-destructive operation could be performed by a user without the corresponding permissions...
CVE-2019-11545
An issue was discovered in GitLab Community Edition 11.9.x before 11.9.10 and 11.10.x before 11.10.2. It allows Information Disclosure. When an issue is moved to a private project, the private project namespace is leaked to unauthorized users with access to the original issue...
CVE-2020-10618
LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vulnerable to sensitive information exposure by unauthorized users...
CVE-1999-0603
In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc...
CVE-2020-36918
iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the...
CVE-2020-36918 iDS6 DSSPro Digital Signage System 6.2 Cross-Site Request Forgery via User Management
iDS6 DSSPro Digital Signage System 6.2 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can craft malicious web pages to trick logged-in administrators into adding unauthorized users by exploiting the...