Lucene search
+L

340 matches found

cvelist
cvelist
•added last week•34 views

CVE-2026-59227 Open WebUI: POST /api/v1/images/edit bypasses the global image-edit switch and the per-user image-generation permission

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to...

4.3CVSS0.00259EPSS
Exploits1References4
osv
osv
•added 2026/06/23 10:27 p.m.•3 views

GHSA-8C6H-7G6X-M5X4 phpMyFAQ: Missing userHasPermission() in 4 API write endpoints (CVE-2026-24421 Incomplete Fix)

Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermissionPermissionType::BACKUP. The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken shared API key but never call userHasPermission,...

6.5CVSS5.9AI score0.0024EPSS
Exploits0References4
attackerkb
attackerkb
•added 2026/06/18 9:12 p.m.•9 views

CVE-2026-49205

phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this-userHasPermissionPermissionType::BACKUP. The same fix was not applied to 4 other write endpoints...

6.5CVSS5.2AI score0.0024EPSS
Exploits0References3Affected Software1
nvd
nvd
•added 2026/05/22 7:17 p.m.•14 views

CVE-2026-40172

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

8.1CVSS0.00535EPSS
Exploits0References3
astralinux
astralinux
•added 2026/05/20 5:53 a.m.•5 views

Astra Linux – Vulnerability in Firefox

When sharing geolocation during an active WebRTC share, Firefox may reset the WebRTC sharing state in the user interface, resulting in a loss of control over the currently granted permissions. This vulnerability affects Firefox versions earlier than 85...

4.3CVSS5.5AI score0.00657EPSS
Exploits0References1
cve
cve
•added 2026/05/06 6:42 p.m.•13 views

CVE-2026-41938

Vvveb

8.8CVSS6.6AI score0.00541EPSS
Exploits0References4
osv
osv
•added 2026/03/31 1:51 p.m.•3 views

CVE-2026-20915 Stored cross-site scripting in Pending Changes sidebar

Stored cross-site scripting XSS in Checkmk version 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar...

8.5CVSS5.8AI score0.00147EPSS
Exploits0References3
vulnrichment
vulnrichment
•added 2026/03/02 6:42 p.m.•4 views

CVE-2026-0021

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

6.1AI score0.00098EPSS
Exploits0References1
cvelist
cvelist
•added 2026/03/02 6:42 p.m.•30 views

CVE-2026-0021

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

0.00098EPSS
Exploits0References1
attackerkb
attackerkb
•added 2026/03/02 6:42 p.m.•3 views

CVE-2026-0021

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

8.4CVSS6.1AI score0.00098EPSS
Exploits0References3Affected Software1
cve
cve
•added 2026/03/02 6:42 p.m.•24 views

CVE-2026-0021

CVE-2026-0021 describes a cross-user permission bypass in AppInfoBase.java (hasInteractAcrossUsersFullPermission). The flaw enables local escalation of privilege with no extra execution privileges required and no user interaction needed to exploit. Android ecosystem sources (NVD/NCSC/CIRCL/CVELIS...

8.4CVSS6.1AI score0.00098EPSS
Exploits0References1Affected Software1
euvd
euvd
•added 2026/03/02 6:42 p.m.•4 views

EUVD-2026-9236

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

8.4CVSS6.1AI score0.00098EPSS
Exploits0References1
osv
osv
•added 2026/03/01 12:0 a.m.•6 views

ASB-A-430047417

In hasInteractAcrossUsersFullPermission of AppInfoBase.java, there is a possible cross-user permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

8.4CVSS6.1AI score0.00098EPSS
Exploits0References2
nvd
nvd
•added 2026/02/11 11:16 p.m.•8 views

CVE-2026-20601

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission...

3.3CVSS0.00141EPSS
Exploits0References1
attackerkb
attackerkb
•added 2026/02/11 10:58 p.m.•4 views

CVE-2026-20601

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission...

5.4AI score0.00141EPSS
Exploits0References2
vulnrichment
vulnrichment
•added 2026/02/11 10:58 p.m.•3 views

CVE-2026-20601

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to monitor keystrokes without user permission...

5.5AI score0.00141EPSS
Exploits0References1
cve
cve
•added 2026/02/11 10:58 p.m.•22 views

CVE-2026-20601

CVE-2026-20601 affects macOS Tahoe before the 26.3 release. The issue is a permissions flaw that could allow an app to monitor keystrokes without user consent. Apple fixed it in Tahoe 26.3 by applying additional restrictions. Across connected sources, the vulnerability is tied to a local attack v...

3.3CVSS5.4AI score0.00141EPSS
Exploits0References1Affected Software1
ptsecurity
ptsecurity
•added 2026/02/11 12:0 a.m.•14 views

PT-2026-7742

Name of the Vulnerable Software and Affected Versions macOS versions prior to 26.3 Description A permissions issue allowed an application to monitor keystrokes without user permission. This issue was addressed with additional restrictions. Recommendations Update to macOS version 26.3...

5.4AI score0.00141EPSS
Exploits0References3
osv
osv
•added 2026/01/27 3:30 p.m.•4 views

GHSA-R2JV-FWFR-4J8C askbot inexhaustive permissions check allows any user to modify a different user's profile picture

All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2...

5.3CVSS5.9AI score0.00318EPSS
Exploits1References5
cve
cve
•added 2026/01/24 1:57 a.m.•21 views

CVE-2026-24420

phpMyFAQ vulnerability CVE-2026-24420 affects versions 4.0.16 and older, where an authenticated user lacking the dlattachment right can download attachments due to a flawed permissions check in attachment.php. The access decision incorrectly treats the mere presence of a permission key as authori...

6.5CVSS5.4AI score0.0042EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder