Lucene search
K

85 matches found

EUVD
EUVD
added yesterday4 views

EUVD-2026-40416

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References4
CVE
CVE
added 2 days ago8 views

CVE-2026-58448

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-58448 yudao-cloud < 2026.06 - BPM Module Broken Access Control via process-instance API

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS0.00235EPSS
Exploits0References3
Cvelist
Cvelist
added last week19 views

CVE-2025-71327 Flowise - Authentication Bypass via Unprotected Registration Endpoint

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

9.3CVSS0.0046EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.10 views

PT-2026-52610

Name of the Vulnerable Software and Affected Versions Flowise affected versions not specified Description An authentication bypass exists due to missing access control and improper authentication enforcement on the registration route. This allows unauthenticated remote attackers to use the...

9.3CVSS6AI score0.0046EPSS
Exploits1References4
CVE
CVE
added 2026/05/27 2:13 p.m.27 views

CVE-2026-48926

The CVE-2026-48926 entry concerns Jenkins Job Import Plugin (versions 143.v044a_2e819b_27 and earlier) where an HTTP endpoint does not enforce a permission check. The flaw enables users with Overall/Read access to enumerate credentials IDs stored in Jenkins, indicating an authorization issue with...

4.3CVSS5.8AI score0.00178EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/05/14 12:31 a.m.29 views

EUVD-2026-30181

Improper sanitization of the status query parameter of the /unprotected/novaerror endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response...

8.3CVSS5.9AI score0.00301EPSS
Exploits0References2
NVD
NVD
added 2026/05/13 10:16 p.m.36 views

CVE-2026-32993

Improper sanitization of the status query parameter of the /unprotected/novaerror endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response...

8.3CVSS0.00301EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/13 10:6 p.m.46 views

CVE-2026-32993

Improper sanitization of the status query parameter of the /unprotected/novaerror endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response...

8.3CVSS0.00301EPSS
Exploits0References1
CVE
CVE
added 2026/05/13 10:6 p.m.31 views

CVE-2026-32993

CVE-2026-32993 describes an vulnerability in cPanel & WHM where improper sanitization of the status query parameter on the /unprotected/nova_error endpoint allows an unauthenticated attacker to inject arbitrary HTTP headers in the response. The root cause is insufficient input handling for the st...

8.3CVSS5.9AI score0.00301EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.9 views

cPanel 注入漏洞

cPanel is a web-based automated hosting platform developed by cPanel Inc. This platform is primarily used for automating the management of websites and servers. cPanel has a vulnerability known as “injection attack,” which stems from improper cleaning of the status query parameters in the...

8.3CVSS5.9AI score0.00301EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/21 7:6 p.m.30 views

CVE-2026-40870 Decidim's comments API allows access to all commentable resources

Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...

7.5CVSS0.00287EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/27 12:0 a.m.10 views

phpMyFAQ 安全漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.0.18 contained security vulnerabilities. These vulnerabilities stemmed from the WebAuthn prepare endpoint, which lacked authentication and CSRF protection, allowing unverified...

7.5CVSS5.8AI score0.0041EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/02/11 7:44 p.m.5 views

CVE-2026-21743

A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotecte...

7.2CVSS5.5AI score0.00336EPSS
Exploits0References1
NVD
NVD
added 2026/02/11 5:16 p.m.3 views

CVE-2026-24789

An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication...

9.8CVSS0.0067EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/11 4:17 p.m.4 views

CVE-2026-24789

An unprotected API endpoint allows an attacker to remotely change the device password without providing authentication...

9.8CVSS5.5AI score0.0067EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/02/10 4:16 p.m.3 views

CVE-2026-21743

A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotecte...

7.2CVSS5.8AI score0.00336EPSS
Exploits0References1
NVD
NVD
added 2026/02/10 4:16 p.m.6 views

CVE-2026-21743

A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotecte...

7.2CVSS0.00336EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/10 3:39 p.m.4 views

CVE-2026-21743

A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotecte...

7.2CVSS5.5AI score0.00336EPSS
Exploits0References1
CVE
CVE
added 2026/02/10 3:39 p.m.15 views

CVE-2026-21743

The CVE-2026-21743 issue affects Fortinet FortiAuthenticator releases 6.6.0–6.6.6, all 6.5 series, and all 6.4 and 6.3 versions. It is a missing authorization vulnerability where a read-only user could modify local users by uploading a file to an unprotected endpoint. The CVSS 3.1 base score is 7...

7.2CVSS5.5AI score0.00336EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder