CVE-2026-42174

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

CVE-2026-42174

Kirby CMS (CVE-2026-42174) is vulnerable prior to updates 4.9.0 and 5.4.0: user avatars could be created, replaced, or deleted without proper user.update/users.update permission checks. The root cause is missing authorization gating for avatar actions, allowing users with only file permissions to...

CVE-2026-42174

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

CVE-2026-42174 Kirby: User avatar creation, replacement and deletion are not gated by user update permissions

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

CVE-2026-42174 Kirby: User avatar creation, replacement and deletion are not gated by user update permissions

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions of Kirby prior to 4.9.0 and 5.4.0 had security vulnerabilities. These vulnerabilities stemmed from the ability to create, replace, and delete user avatars without restricting user update permissions...

GHSA-39CP-6679-8XV2 Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to update user information user.update or users.update permission is disabled. This can be due to configuration in the blueprints of the acting users, via options in the blueprints of the target...

PT-2026-37168

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 Description Missing authorization in the content management system allows authenticated users to create, replace, or delete user avatars even when they lack the necessary permissions ...

PT-2026-33801

Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/username. The role field is accepted by the update model without a manage users permission check for self-updates, enabling privile...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the overrides.yoke.cd/flight annotation, which allows a user-supplied URL to be used directly by the controller without validation. An attacker can execute arbitrary code within the controller context by...

GHSA-WJ8P-JJ64-H7FF Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC

Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC This vulnerability exists in the Air Traffic Controller ATC component of Yoke, a Kubernetes deployment tool. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller...

CVE-2026-26056 Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC

Yoke is a Helm-inspired infrastructure-as-code IaC package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller ATC component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a...

CVE-2026-26056

Yoke is a Helm-inspired infrastructure-as-code IaC package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller ATC component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a...

CVE-2026-21896 Kirby is missing permission checks in the content changes API

Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by...

CVE-2025-36192

IBM DS8A00 R10.1 10.10.106.0 and IBM DS8A00 R10.0 10.1.3.010.2.45.0 and IBM DS8900F R9.4 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS...

CVE-2025-36192

IBM DS8A00 R10.1 10.10.106.0 and IBM DS8A00 R10.0 10.1.3.010.2.45.0 and IBM DS8900F R9.4 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS...

CVE-2025-36192

CVE-2025-36192 affects IBM System Storage DS8000 family (DS8A00 with R10.0–R10.1 and DS8900F with R9.4). The root cause is missing authorization in Safeguarded Copy / GDPS logical corruption protection, enabling a local user with authorized CCW update permissions to delete or corrupt backups. IBM...

CVE-2025-36192 Missing Authorization with the DS8900F and DS8A00 Hardware Management Console

IBM DS8A00 R10.1 10.10.106.0 and IBM DS8A00 R10.0 10.1.3.010.2.45.0 and IBM DS8900F R9.4 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS...

EUVD-2008-5968

Malware in sbrugna...

EUVD-2009-4326

Malware in sbrugna...