CVE-2026-49002

Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information...

CVE-2026-49002

Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information...

FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field

Summary The application fails to validate the nick parameter during a POST request to the EditUser controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account including the Administrator. This leads to Broken Access Control and...

Hobby coder accidentally creates vacuum robot army

Sammy Azdoufal wanted to steer his robot vacuum with a PS5 controller. Like any good maker, he thought it would be fun to drive a new DJI Romo around manually. He ended up gaining access to an army of robotic cleaners that gave him eyes into thousands of homes. Driven by purely playful reasons,...

CVE-2026-22624

Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization...

Weblate leaks information via screenshots

Impact The screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. Patches https://github.com/WeblateOrg/weblate/pull/17516 References Thanks to Lukas May and Michael Leu...

CVE-2025-4596 Information disclosure via IDOR in Asseco AMDX

Asseco ADMX system is used for processing medical records. It allows logged in users to access medical files belonging to other users through manipulation of GET arguments containing document IDs. This issue has been fixed in 6.09.01.62 version of ADMX...

Online Shopping Portal Insecure Direct Object Reference Vulnerability

Online Shopping Portal is an online store. Online Shopping Portal suffers from an insecure direct object reference vulnerability, which stems from the order tracking functionality not properly implementing an access control mechanism that directly references data sent from the client as an object...

CVE-2025-64065

The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...

PT-2025-48073

The Primakon Pi Portal 1.0.18 API /api/V2/pp udfv admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...

CVE-2025-64065

The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...

CVE-2025-64065

Primakon Pi Portal 1.0.18 exposes /api/V2/pp_udfv_admin to authenticated, low-privilege users via an access control flaw (Broken Function Level Authorization) and insecure design, enabling direct PATCH-based impersonation of arbitrary users, including Administrators, without password or admin tok...

CVE-2025-60914

Incorrect access control in Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to access sensitive information via sending a crafted GET request to the /displaylogo endpoint...

EUVD-2019-6722

Malware in sbrugna...

EUVD-2021-22758

Malware in sbrugna...

EUVD-2021-9988

Malicious code in bioql PyPI...

Mattermost boards plugin fails to restrict download access to files

Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration...

CVE-2025-49810

Mattermost versions 10.5.x = 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts...

CVE-2025-49810 Thread summarization allows persistent access to channel

Mattermost versions 10.5.x = 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts...

The vulnerability of the Web Server component of the Oracle BI Publisher software, which is used for creating reports, allows a malicious individual to gain access to read, modify, add, or delete data.

The vulnerability of the Web Server component of the Oracle BI Publisher software for creating reports is related to lack of access control measures. Exploiting this vulnerability could allow an attacker to gain read, modify, add, or delete access to data...