CVE-2026-6584

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function updateuser of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument userid results in authorization bypass. The attack may be...

CVE-2026-6584 TransformerOptimus SuperAGI User Update Endpoint user.py update_user authorization

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function updateuser of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument userid results in authorization bypass. The attack may be...

CVE-2026-6584

A vulnerability was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function updateuser of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument userid results in authorization bypass. The attack may be...

EUVD-2026-21559

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the updateuserfromusername endpoint. A student status=5 can change their status to Teacher/CourseManager status=1, gaining course creation and management...

CVE-2026-33706 Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the updateuserfromusername endpoint. A student status=5 can change their status to Teacher/CourseManager status=1, gaining course creation and management...

CVE-2026-33706

Chamilo LMS prior to 1.11.38 contains a privilege escalation via the REST API. An authenticated user with a REST API key can modify their own status through the update_user_from_username endpoint, allowing a student (status=5) to elevate to Teacher/CourseManager (status=1) and obtain course creat...

Vulnerability-Report

Unauthenticated Arbitrary File Upload RCE in Gaatitrack Cour...

CVE-2025-70152

code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in the admin user management endpoints /admin/saveuser.php and /admin/updateuser.php. These endpoints lack authentication checks and directly concatenate user-supplied POST parameters firstname, lastname,...

CVE-2025-70152

code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in the admin user management endpoints /admin/saveuser.php and /admin/updateuser.php. These endpoints lack authentication checks and directly concatenate user-supplied POST parameters firstname, lastname,...

Authentication Bypass Using an Alternate Path or Channel

Overview org.apache.kylin:kylin-core-common is a package part of Apache Kylin. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the /api/user/updateuser endpoint. An attacker can gain unauthorized access by exploiting this endpoint t...

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the /api/user/updateuser endpoint. An attacker can gain unauthorized access by exploiting this endpoint to bypass authentication mechanisms. Remediation Upgrade...

Simple Chat System 注入漏洞

Chat System is a chat system. Chat System suffers from a SQL injection vulnerability that stems from a lack of adequate validation of the input of the id parameter in the /admin/updateuser.php file. No details of the vulnerability are available at this time...

PT-2023-24394 · Unknown · Sourcecodester Faculty Evaluation System

Name of the Vulnerable Software and Affected Versions: Sourcecodester Faculty Evaluation System version 1.0 Description: The issue allows for arbitrary code execution via the "ip/eval/ajax.php?action=update user" API endpoint. This could potentially lead to unauthorized access and control of the...

CVE-2022-36750

Clinic's Patient Management System v1.0 is vulnerable to SQL injection via /pms/updateuser.php?id=...

PT-2022-23604 · Unknown · Clinic'S Patient Management System

Name of the Vulnerable Software and Affected Versions: Clinic's Patient Management System version 1.0 Description: The issue concerns a SQL injection vulnerability. It can be exploited via the /pms/update user.php endpoint, specifically through the id parameter. Recommendations: For Clinic's...