CVE-2026-40172

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

Astra Linux - уязвимость в firefox

When sharing geolocation during an active WebRTC share, Firefox may reset the WebRTC sharing state in the user interface, resulting in a loss of control over the currently granted permissions. This vulnerability affects Firefox versions earlier than 85...

CVE-2026-41938

Vvveb

CVE-2026-0021

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0021

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

EUVD-2026-9236

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0021

PTSecurity entries PT-2026-4689, PT-2026-4690, PT-2026-4686, PT-2026-4684, PT-2026-4683, PT-2026-4691, PT-2026-4687, PT-2026-4688, PT-2026-4692 include CVE-2026-0021 as part of the High severity list for upcoming patch levels. The CVE is mentioned within the consolidated patch preview but there a...

CVE-2026-0021

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

ASB-A-430047417

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-20601

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission...

CVE-2026-20601

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission...

CVE-2026-20601

CVE-2026-20601 affects macOS Tahoe before the 26.3 release. The issue is a permissions flaw that could allow an app to monitor keystrokes without user consent. Apple fixed it in Tahoe 26.3 by applying additional restrictions. Across connected sources, the vulnerability is tied to a local attack v...

CVE-2026-20601

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission...

PT-2026-7742

Name of the Vulnerable Software and Affected Versions macOS versions prior to 26.3 Description A permissions issue allowed an application to monitor keystrokes without user permission. This issue was addressed with additional restrictions. Recommendations Update to macOS version 26.3...

GHSA-R2JV-FWFR-4J8C askbot inexhaustive permissions check allows any user to modify a different user's profile picture

All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2...

CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...

CVE-2026-24420

phpMyFAQ vulnerability CVE-2026-24420 affects versions 4.0.16 and older, where an authenticated user lacking the dlattachment right can download attachments due to a flawed permissions check in attachment.php. The access decision incorrectly treats the mere presence of a permission key as authori...

CVE-2022-26595

Liferay Portal 7.3.7, 7.4.0, and 7.4.1, and Liferay DXP 7.2 fix pack 13, and 7.3 fix pack 2 does not properly check user permission when accessing a list of sites/groups, which allows remote authenticated users to view sites/groups via the user's site membership assignment UI...

CVE-2025-23403

A vulnerability has been identified in SIMATIC IPC DiagBase All versions, SIMATIC IPC DiagMonitor All versions. The affected device do not properly restrict the user permission for the registry key. This could allow an authenticated attacker to load vulnerable drivers into the system leading to...

Grav vulnerable to Privilege Escalation in Grav Admin: Missing Username Uniqueness Check Allows Admin Account Takeover

Summary A privilege escalation vulnerability exists in Grav’s Admin plugin due to the absence of username uniqueness validation when creating users. A user with the create user permission can create a new account using the same username as an existing administrator account, set a new...