Lucene search
+L

2116 matches found

CNNVD
CNNVD
added 2026/03/23 12:0 a.m.9 views

Simple E-Learning System SQL注入漏洞

Simple E-Learning System is a simple e-learning system developed by Carlo Montero as an individual project. Version 1.0 of Simple E-Learning System has a SQL injection vulnerability. This vulnerability stems from improper handling of the firstName parameter in the User Profile Update Handler...

6.5CVSS6.6AI score0.00196EPSS
Exploits0References5
NVD
NVD
added 2026/03/20 6:16 p.m.6 views

CVE-2026-31836

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any...

8.1CVSS0.00295EPSS
Exploits1References1
CVE
CVE
added 2026/03/20 5:50 p.m.10 views

CVE-2026-31836

CVE-2026-31836 affects Checkmate (open-source self-hosted tool). Versions up to and including 3.5.1 contain a mass assignment vulnerability in the user profile update endpoint, allowing any authenticated user to escalate to superadmin and bypass RBAC. This grants complete administrative access (v...

8.1CVSS5.8AI score0.00295EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/03/20 5:50 p.m.4 views

CVE-2026-31836 Mass Assignment Privilege Escalation in Checkmate

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any...

8.1CVSS5.9AI score0.00295EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/19 6:31 p.m.7 views

EUVD-2026-13124

OPEXUS eComplaint and eCASE before 10.2.0.0 do not correctly sanitize the contents of first and last name fields in a user profile. An authenticated attacker can inject parts of an XSS payload in their first and last name fields. The payload is executed when the user's full name is rendered. The...

5.5CVSS5.8AI score0.00141EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/16 3:30 p.m.4 views

EUVD-2026-12379

Insecure Direct Object Reference IDOR vulnerability in Campus Educativa specifically at the endpoint '/archivos/usuarios/ID/username/thumbAAxAA.jpg' translated as 80x90 and 40x45. Successful exploitation of this vulnerability could allow an unauthenticated attacker to access the profile photos of...

6.9CVSS5.8AI score0.00261EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/16 9:37 a.m.1 views

CVE-2026-3111 Multiple vulnerabilities on the Educativa Campus

Insecure Direct Object Reference IDOR vulnerability in Campus Educativa specifically at the endpoint '/archivos/usuarios/ID/username/thumbAAxAA.jpg' translated as 80x90 and 40x45. Successful exploitation of this vulnerability could allow an unauthenticated attacker to access the profile photos of...

6.9CVSS5.8AI score0.00261EPSS
Exploits0References1
CVE
CVE
added 2026/03/16 9:37 a.m.21 views

CVE-2026-3111

CVE-2026-3111 affects Educativa Campus. An Insecure Direct Object Reference permits an unauthenticated attacker to access any user’s profile photo via the manipulated URL /archivos/usuarios/[ID]/[username]/thumb_AAxAA.jpg (80x90 and 40x45). The provided metrics state CVSS v4 base score 6.9 (Netwo...

6.9CVSS5.8AI score0.00261EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/16 12:0 a.m.9 views

INDEX ÉDUCATION PRONOTE 安全漏洞

INDEX ÉDUCATION PRONOTE is an educational management platform developed by the French company INDEX ÉDUCATION. Versions of INDEX ÉDUCATION PRONOTE prior to version 2025.2.8 contained security vulnerabilities. These vulnerabilities were due to improper access control, which could allow unverified...

5.3CVSS5.8AI score0.00243EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/27 7:38 p.m.25 views

CVE-2026-27793 Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...

6.5CVSS0.00231EPSS
Exploits0References3
CVE
CVE
added 2026/02/27 7:38 p.m.27 views

CVE-2026-27793

CVE-2026-27793 describes a broken access control in Seerr prior to 3.1.0, where the GET /api/v1/user/:id endpoint returns the full user settings object (including credentials for Pushover, Pushbullet, Telegram) to any authenticated requester, regardless of privileges. This allows eavesdropping of...

6.5CVSS5.9AI score0.00231EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/02/27 8:17 a.m.12 views

CVE-2026-0871

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...

4.9CVSS0.00307EPSS
Exploits0References4
EUVD
EUVD
added 2026/02/26 10:22 p.m.7 views

EUVD-2026-8797

WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level...

8.8CVSS5.2AI score0.00306EPSS
Exploits0References5
Snyk
Snyk
added 2026/02/26 3:13 a.m.3 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management via the IsAdmin field in the user profile update process. An attacker can gain unauthorized administrative privileges by sending a crafted PUT request to their own user profile endpoint with IsAdmin set to...

8.8CVSS6AI score0.00306EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/02/23 7:35 p.m.9 views

CVE-2026-2947

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed...

5.4CVSS3.5AI score0.00276EPSS
Exploits1References1
OSV
OSV
added 2026/02/22 2:16 p.m.10 views

CVE-2026-2947

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed...

5.4CVSS4.1AI score0.00276EPSS
Exploits1References4
NVD
NVD
added 2026/02/22 2:16 p.m.11 views

CVE-2026-2947

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed...

5.4CVSS0.00276EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/02/22 1:32 p.m.7 views

CVE-2026-2947

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed...

5.1CVSS3.6AI score0.00276EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/02/22 1:32 p.m.37 views

CVE-2026-2947 rymcu forest User Profile UserInfoController.java updateUserInfo cross site scripting

A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed...

5.1CVSS0.00276EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/02/22 12:0 a.m.8 views

PT-2026-21450

Name of the Vulnerable Software and Affected Versions rymcu forest versions up to 0.0.5 Description A cross-site scripting issue exists in rymcu forest. The issue is located in the updateUserInfo function within the src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java file of the...

5.1CVSS4.6AI score0.00276EPSS
Exploits1References7
Rows per page
Query Builder