Lucene search
K

230 matches found

CNNVD
CNNVD
added 2026/04/24 12:0 a.m.9 views

AWS Ops Wheel 安全漏洞

AWS Ops Wheel is an open-source tool provided by Amazon Web Services that supports multi-tenant functionality. There is a security vulnerability in AWS Ops Wheel, which stems from improper control over the modification of object properties dynamically determined during the Cognito user pool...

8.8CVSS5.8AI score0.00419EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.5 views

PT-2026-35028

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...

8.8CVSS5.5AI score0.00419EPSS
Exploits0References4
NVD
NVD
added 2026/04/20 12:16 a.m.12 views

CVE-2026-6584

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function updateuser of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument userid results in authorization bypass. The attack may be...

5.5CVSS0.003EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/19 11:15 p.m.4 views

CVE-2026-6584

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function updateuser of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument userid results in authorization bypass. The attack may be...

5.5CVSS5.2AI score0.003EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/19 11:15 p.m.6 views

CVE-2026-6584 TransformerOptimus SuperAGI User Update Endpoint user.py update_user authorization

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function updateuser of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument userid results in authorization bypass. The attack may be...

5.5CVSS5.2AI score0.003EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/19 11:15 p.m.31 views

CVE-2026-6584 TransformerOptimus SuperAGI User Update Endpoint user.py update_user authorization

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function updateuser of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument userid results in authorization bypass. The attack may be...

5.5CVSS0.003EPSS
Exploits0References4
CVE
CVE
added 2026/04/19 11:15 p.m.12 views

CVE-2026-6584

The CVE concerns TransformerOptimus SuperAGI (up to 0.0.14). The vulnerability is in the update_user function in superagi/controllers/user.py, where manipulating the user_id parameter leads to an authorization bypass. Impact is reported as a remote attack with publicly available exploit. Supporte...

5.5CVSS5.5AI score0.003EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/17 3:31 p.m.8 views

Mattermost doesn't validate CSRF tokens on an authentication endpoint

Mattermost versions 10.11.x = 10.11.12, 11.5.x = 11.5.0, 11.4.x = 11.4.2, 11.3.x = 11.3.2 fail to validate CSRF tokens on an authentication endpoint which allows an attacker to update a user's authentication method via a CSRF attack by tricking a user into visiting a malicious page. Mattermost...

8.1CVSS5.2AI score0.00129EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/04/15 7:46 p.m.4 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the updateUserPreference process. An attacker can alter restricted financial attributes by sending crafted API requests to modify their own hourlyrat...

5.3CVSS5.8AI score0.00267EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/14 9:37 p.m.6 views

CVE-2026-40291 Chamilo LMS has Privilege Escalation via API User Role Modification

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/id endpoint allows any authenticated user with ROLESTUDENT to escalate their privileges to ROLEADMIN by modifying the roles field o...

8.8CVSS5.9AI score0.00316EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/10 6:51 p.m.5 views

EUVD-2026-21559

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the updateuserfromusername endpoint. A student status=5 can change their status to Teacher/CourseManager status=1, gaining course creation and management...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/10 6:51 p.m.18 views

CVE-2026-33706 Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the updateuserfromusername endpoint. A student status=5 can change their status to Teacher/CourseManager status=1, gaining course creation and management...

7.1CVSS0.00168EPSS
Exploits0References2
CVE
CVE
added 2026/04/10 6:51 p.m.12 views

CVE-2026-33706

Chamilo LMS prior to 1.11.38 contains a privilege escalation via the REST API. An authenticated user with a REST API key can modify their own status through the update_user_from_username endpoint, allowing a student (status=5) to elevate to Teacher/CourseManager (status=1) and obtain course creat...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.8 views

Chamilo LMS 安全漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Prior to version 1.11.38 of Chamilo LMS, there were security vulnerabilities. These vulnerabilities stemmed from...

7.1CVSS5.9AI score0.00168EPSS
Exploits0References3
CVE
CVE
added 2026/04/09 2:25 a.m.15 views

CVE-2026-3568

CVE-2026-3568 affects the WordPress MStore API plugin up to version 4.18.3. The root cause is in update_user_profile() processing the raw JSON field 'meta_data' without validation, allowlisting, or sanitization, and then applying arbitrary keys/values to update_user_meta() after cookie-based auth...

4.3CVSS6AI score0.00226EPSS
Exploits0References8
EUVD
EUVD
added 2026/04/08 6:31 a.m.4 views

EUVD-2026-20043

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspnajaxnoprivserver function within the 'userspnformsave' case. The conditional...

9.8CVSS6.1AI score0.00889EPSS
Exploits0References13
Cvelist
Cvelist
added 2026/04/08 3:36 a.m.21 views

CVE-2026-4003 Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspnajaxnoprivserver function within the 'userspnformsave' case. The conditional...

9.8CVSS0.00889EPSS
Exploits0References12
Github Security Blog
Github Security Blog
added 2026/04/01 9:3 p.m.15 views

NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner

Summary A race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege. Details The vulnerability exists in the updateUser function, which is connected to the /users/userId PUT request. This function then calls the SaveOrAddUsers function, which checks t...

5.9AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/01 9:3 p.m.4 views

GHSA-RXMP-8H9V-56CX NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner

Summary A race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege. Details The vulnerability exists in the updateUser function, which is connected to the /users/userId PUT request. This function then calls the SaveOrAddUsers function, which checks t...

4.4CVSS5.9AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:7 p.m.4 views

CVE-2026-4548

A vulnerability was detected in mickasmt next-saas-stripe-starter 1.0.0. Affected by this vulnerability is the function updateUserrole of the file actions/update-user-role.ts. The manipulation of the argument userId/role results in improper authorization. The attack may be launched remotely...

6.5CVSS6.4AI score0.00195EPSS
Exploits0References1
Rows per page
Query Builder