Lucene search
K

35 matches found

RedhatCVE
RedhatCVE
added 2026/06/25 6:44 p.m.9 views

CVE-2026-47102

A flaw was found in LiteLLM. A user with access to the /user/update endpoint can exploit a privilege escalation vulnerability. By modifying their own userrole to proxyadmin, an attacker can gain full administrative access to LiteLLM, including control over all users, teams, keys, models, and prom...

8.8CVSS6AI score0.00653EPSS
Exploits2References10
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.11 views

PT-2026-52655

Name of the Vulnerable Software and Affected Versions Lemur affected versions not specified Description Passwords are stored in plaintext in the users.password column when a user's password is updated. This occurs because the User model only triggers password hashing during the before insert even...

4.9CVSS5.8AI score
Exploits0References5
NVD
NVD
added 2026/05/29 4:16 p.m.14 views

CVE-2018-25387

HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksiuser.php script with parameters like iduser, password, and leve...

6.9CVSS0.00175EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/29 2:46 p.m.13 views

EUVD-2018-21909

HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksiuser.php script with parameters like iduser, password, and leve...

6.9CVSS5.7AI score0.00175EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.9 views

PT-2026-44865

HaPe PKH 1.1 contains a cross-site request forgery vulnerability that allows attackers to change administrator passwords by submitting forged requests to the user update endpoint. Attackers can craft malicious forms targeting the aksi user.php script with parameters like id user, password, and...

6.9CVSS5.7AI score0.00175EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/26 7:29 p.m.8 views

CVE-2026-44832

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/id with permissionsadmin=1. The API controller only strips the superuser key from the...

8.8CVSS5.8AI score0.00314EPSS
Exploits0References3Affected Software1
GithubExploit
GithubExploit
added 2026/05/25 1:37 p.m.163 views

Exploit for CVE-2026-47102

CVE-2026-47102 – LiteLLM Privilege Escalation via /user/updat...

8.8CVSS5.7AI score0.00739EPSS
Exploits4
GithubExploit
GithubExploit
added 2026/05/25 9:10 a.m.111 views

Exploit for CVE-2026-47101

CVE-2026-47101 — LiteLLM Privilege Escalation via /key/genera...

8.8CVSS5.8AI score0.00739EPSS
Exploits3
Snyk
Snyk
added 2026/05/21 11:46 p.m.12 views

Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization via the /user/update endpoint. An attacker can gain full administrative access by modifying their own userrole field to proxyadmin to escalate...

8.8CVSS5.8AI score0.00653EPSS
Exploits2References2
OSV
OSV
added 2026/05/21 9:30 p.m.2 views

GHSA-WPFP-GWWC-VWQ6 LiteLLM allows a user to modify their own user_role via the /user/update endpoint

LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...

8.8CVSS6.1AI score0.00653EPSS
Exploits2References10
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.6 views

LiteLLM allows a user to modify their own user_role via the /user/update endpoint

LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...

8.8CVSS6.1AI score0.00653EPSS
Exploits2References10Affected Software1
NVD
NVD
added 2026/05/21 9:16 p.m.13 views

CVE-2026-47102

LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...

8.8CVSS0.00653EPSS
Exploits2References11
Cvelist
Cvelist
added 2026/05/21 8:34 p.m.34 views

CVE-2026-47102 LiteLLM < 1.83.10 Privilege Escalation via User Update

LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...

8.8CVSS0.00653EPSS
Exploits2References8
Vulnrichment
Vulnrichment
added 2026/05/21 8:34 p.m.9 views

CVE-2026-47102 LiteLLM < 1.83.10 Privilege Escalation via User Update

LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...

8.8CVSS5.8AI score0.00653EPSS
Exploits2References8
EUVD
EUVD
added 2026/05/21 8:34 p.m.9 views

EUVD-2026-31345

LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...

8.8CVSS5.8AI score0.00653EPSS
Exploits2References7
CVE
CVE
added 2026/05/21 8:34 p.m.47 views

CVE-2026-47102

LiteLLM is affected up to version 1.83.10. A vulnerability in the /user/update endpoint allows a user to modify their own user_role, potentially elevating to proxy_admin and gaining full administrative access to LiteLLM (including users, teams, keys, models, and prompt history). The flaw arises b...

8.8CVSS5.8AI score0.00653EPSS
Exploits2References11Affected Software1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.4 views

Astra Linux – Vulnerability in Zabbix

A authenticated user with API access e.g., a user with the default User role can be added to any group e.g., Zabbix Administrators. Specifically, a user with access to the user.update API endpoint can be added to any group, except for groups that are disabled or have restricted GUI access...

8.8CVSS7.2AI score0.0073EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/11 3:54 p.m.6 views

CVE-2026-42843

Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management. Prior to 1.0.0-beta.15, an insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any...

8.8CVSS5.8AI score0.0035EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/09 7:9 p.m.8 views

CVE-2026-42562

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

8.3CVSS5.7AI score0.00261EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/05 9:20 p.m.7 views

GHSA-R945-H4VM-H736 Grav API Privilege Escalation to Super Admin

Summary An insecure direct object reference and logic flaw in the Grav API plugin UsersController::update allows any authenticated user with basic API access api.access to modify their own permission configuration. An attacker can exploit this to escalate their privileges to Super Administrator...

8.8CVSS5.9AI score0.0035EPSS
Exploits1References4
Rows per page
Query Builder