Lucene search
K

232 matches found

NVD
NVD
added 2026/06/29 6:16 p.m.8 views

CVE-2026-57945

PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PU...

5.3CVSS0.0019EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/29 5:18 p.m.7 views

EUVD-2026-40162

PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PU...

5.3CVSS5.9AI score0.0019EPSS
Exploits0References3
CVE
CVE
added 2026/06/29 5:18 p.m.17 views

CVE-2026-57945

Summary of CVE-2026-57945 (PhotoPrism) : A broken access control flaw in PhotoPrism prior to 260601-a7d098548 allows authenticated non-admin users to modify other users’ profile information by exploiting the PUT /api/v1/users/{uid} endpoint. The root cause is missing validation that ties the sess...

5.3CVSS5.9AI score0.0019EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/29 6:45 a.m.8 views

EUVD-2026-40044

A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project wa...

6.5CVSS5.4AI score0.00214EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/06/29 6:45 a.m.8 views

CVE-2026-13544

A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project wa...

6.5CVSS6.2AI score0.00214EPSS
Exploits0References8Affected Software1
Cvelist
Cvelist
added 2026/06/29 6:45 a.m.37 views

CVE-2026-13544 Feehi CMS API users access control

A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project wa...

6.5CVSS0.00214EPSS
Exploits0References8
CVE
CVE
added 2026/06/29 6:45 a.m.24 views

CVE-2026-13544

The CVE refers to Feehi CMS (up to version 2.1.1) with an issue in the API component, specifically the /api/users endpoint. The flaw allows manipulation that leads to improper access controls, enabling remote initiation of an attack. Public exploit appears to be available, and the vendor/maintain...

6.5CVSS6.2AI score0.00214EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/06/26 6:56 p.m.8 views

CVE-2026-52784

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "useradmin". This vulnerability is fixed in 17.3.3 and 17.4.1...

8.8CVSS5.8AI score0.00163EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/22 10:57 p.m.4 views

GHSA-9M6G-WC8R-Q59C scimPatch vulnerable to prototype pollution via unfiltered keys in patch

Summary scim-patch performs prototype pollution when applying a SCIM PATCH operation whose value object contains a key like "proto.someProp". After one such patch, Object.prototype.someProp is set process-wide, affecting every plain object in the Node process. Any service that calls scimPatch on...

9.1CVSS5.8AI score
Exploits0References3
NVD
NVD
added 2026/06/21 10:16 a.m.14 views

CVE-2026-12799

A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function uiviewusers of the file litellm/proxy/managementendpoints/internaluserendpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. I...

5.3CVSS0.00288EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/06/21 10:0 a.m.35 views

CVE-2026-12799 BerriAI litellm Incomplete Fix CVE-2025-0628 internal_user_endpoints.py ui_view_users improper authorization

A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function uiviewusers of the file litellm/proxy/managementendpoints/internaluserendpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. I...

5.3CVSS0.00288EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.9 views

CVE-2026-40291

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/id endpoint allows any authenticated user with ROLESTUDENT to escalate their privileges to ROLEADMIN by modifying the roles field o...

8.8CVSS5.5AI score0.00316EPSS
Exploits0References1
NVD
NVD
added 2026/06/01 9:16 a.m.17 views

CVE-2026-10236

A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be launched remotely...

7.5CVSS0.00371EPSS
Exploits0References6
GithubExploit
GithubExploit
added 2026/05/30 5:37 a.m.277 views

RestroPress-WordPress-Plugin-Sensitive-API-Key-amp-Token-Exposure-Vulnerability-Exploitation

📌 Overview CVE-2025-9209 is a critical information disclo...

9.8CVSS7.2AI score0.02196EPSS
Exploits6
Vulnrichment
Vulnrichment
added 2026/05/29 2:46 p.m.11 views

CVE-2018-25397 PHP-SHOP 1.0 Cross-Site Request Forgery via users.php

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST...

6.9CVSS5.7AI score0.00162EPSS
Exploits0References3
CVE
CVE
added 2026/05/29 2:46 p.m.17 views

CVE-2018-25397

PHP-SHOP 1.0 is affected by a cross-site request forgery in the users.php endpoint. An unauthenticated attacker can craft a page with a hidden form that automatically POSTs parameters (name, email, password, permissions) to create an admin account, by convincing an authenticated administrator to ...

6.9CVSS5.7AI score0.00162EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/26 7:29 p.m.8 views

CVE-2026-44832 Snipe-IT: Privilege Escalation via API Permissions Assignment

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/id with permissionsadmin=1. The API controller only strips the superuser key from the...

7.1CVSS5.8AI score0.00314EPSS
Exploits0References2
OSV
OSV
added 2026/05/18 5:42 p.m.43 views

GHSA-C54J-XP92-WH28 Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Summary The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances, this endpoint bypasses the admin-restricted invite flo...

8.8CVSS6AI score0.00261EPSS
Exploits0References4
OSV
OSV
added 2026/05/18 5:34 p.m.7 views

GHSA-9M6V-8FXC-4R44 Sulu: Used API Keys may be available via Admin API

Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. Patch...

2.3CVSS5.8AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/18 5:34 p.m.18 views

Sulu: Used API Keys may be available via Admin API

Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. Patch...

5.8AI score
Exploits0References4Affected Software1
Rows per page
Query Builder