Lucene search
+L

163021 matches found

RedhatCVE
RedhatCVE
added 2 days ago11 views

CVE-2026-47084

A flaw was found in Cyrus IMAP cyrus-imapd. An authenticated user, without administrative privileges, could bypass Access Control List ACL checks by using the LOCALDELETE command. This allowed them to delete mailboxes for which they did not have the necessary permissions, leading to unauthorized...

6.5CVSS6.1AI score0.00203EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2 days ago13 views

CVE-2026-47082

A flaw was found in Cyrus IMAP's cyrus-imapd component. A user with low privileges can exploit a vulnerability in the vacation "fcc" feature. By crafting a specific Sieve script, the user can bypass access control lists and deliver vacation auto-reply messages into any mailbox, leading to...

5.4CVSS6AI score0.00176EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2 days ago6 views

CVE-2026-41993

Improper Access Control vulnerability in the Removable Media Validation function of TXOne Networks products allows a local attacker with administrator privileges to bypass the file lockdown mechanism, resulting in unauthorized file transfer to the victim device. The attacker needs to deploy...

6.7CVSS6.1AI score0.00108EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-41993

Improper Access Control vulnerability in the Removable Media Validation function of TXOne Networks products allows a local attacker with administrator privileges to bypass the file lockdown mechanism, resulting in unauthorized file transfer to the victim device. The attacker needs to deploy...

6.7CVSS0.00108EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago11 views

EUVD-2026-45138

Improper Access Control vulnerability in the Removable Media Validation function of TXOne Networks products allows a local attacker with administrator privileges to bypass the file lockdown mechanism, resulting in unauthorized file transfer to the victim device. The attacker needs to deploy...

6.7CVSS6.1AI score0.00108EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago38 views

CVE-2026-62387 Grav < 1.0.0-rc.16 CORS Misconfiguration via API Plugin

The Grav API plugin getgrav/grav-plugin-api before 1.0.0-rc.16 shipped Access-Control-Allow-Origin: as its default CORS configuration on all responses, including authenticated endpoints and preflight OPTIONS responses. Because the plugin accepts credentials via the Authorization and X-API-Token...

7.1CVSS0.00259EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago11 views

EUVD-2026-45081

Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the admin-next REST API that allows authenticated users with only api.access permission to perform unauthorized CRUD operations on permission-less directories. Attackers with api.access credentials can create...

6.3CVSS6.1AI score0.00169EPSS
Exploits0References2
OSV
OSV
added 2 days ago2 views

CVE-2026-62233 grav-plugin-api < 1.0.6 Privilege Escalation via createApiKey

grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers to escalate to super-admin. Attackers can mint API keys bound to super-admin accounts or strip 2FA from super-admin users to achiev...

8.7CVSS5.3AI score0.00246EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago10 views

PT-2026-60790

Dendrite through 0.13.8 contains an improper access control vulnerability in the syncapi /context endpoint syncapi/routing/context.go that allows authenticated local users to access post-leave room state events by exploiting a flawed membership check that evaluates only the RoomExists field while...

5.3CVSS5.3AI score0.0016EPSS
Exploits0References3
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-51083

Incorrect access control in Proxmox Virtual Environment PVE 9.x qemu-server before 9.1.8 and 8.x before 8.4.8 allows users within limited privileges to obtain hashed passwords via the cloudinit/dump API...

0.00201EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2 days ago6 views

PT-2026-60774

Incorrect access control in Proxmox Virtual Environment PVE 9.x qemu-server before 9.1.8 and 8.x before 8.4.8 allows users within limited privileges to obtain hashed passwords via the cloudinit/dump API...

5.3AI score0.00201EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2 days ago6 views

CVE-2026-51083

Incorrect access control in Proxmox Virtual Environment PVE 9.x qemu-server before 9.1.8 and 8.x before 8.4.8 allows users within limited privileges to obtain hashed passwords via the cloudinit/dump API...

5.3AI score0.00201EPSS
Exploits0References1
CVE
CVE
added 2 days ago7 views

CVE-2026-51083

Proxmox VE is affected: incorrect access control in Proxmox Virtual Environment (PVE) 9.x qemu-server before 9.1.8 and 8.x before 8.4.8 allows users with limited privileges to obtain hashed passwords via the cloudinit/dump API. The root cause is an access-control issue in the cloudinit/dump endpo...

6.5CVSS5.3AI score0.00201EPSS
Exploits0References1
EUVD
EUVD
added 3 days ago8 views

EUVD-2026-45009

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. GENURLAUTH-issued tokens can bypass ACLs. Any authenticated user could mint a URLAUTH token via the GENURLAUTH command for any mailbox they could name, even without read access on it. This would allow reading mail from mailboxes...

3.5CVSS6.1AI score0.00169EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago8 views

EUVD-2026-45007

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The LOCALDELETE command bypassed ACL checks. An authenticated but non-admin user could invoke the admin-only LOCALDELETE IMAP command and delete mailboxes for which they had no permissions...

6.5CVSS6.1AI score0.00203EPSS
Exploits0References3
NVD
NVD
added 3 days ago7 views

CVE-2026-47086

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. GENURLAUTH-issued tokens can bypass ACLs. Any authenticated user could mint a URLAUTH token via the GENURLAUTH command for any mailbox they could name, even without read access on it. This would allow reading mail from mailboxes...

3.5CVSS0.00169EPSS
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-47082

An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. The vacation "fcc" feature skips the destination-mailbox ACL. A user whose vacation Sieve script used :fcc to save a copy of the sent message could deliver vacation auto-reply copies into any mailbox the script could name,...

5.4CVSS0.00176EPSS
Exploits0References2
NVD
NVD
added 3 days ago5 views

CVE-2026-44595

Yamcs is a mission control framework. Prior to 5.12.7, the IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core did not enforce the required SystemPrivilege.ControlAccess check in yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java, so any authenticated user, even one...

4.3CVSS0.01008EPSS
Exploits3References5
CVE
CVE
added 3 days ago12 views

CVE-2026-6511

CVE-2026-6511 : Lenovo Smart Connect for Windows is reported to have an improper access control vulnerability that could allow a local authenticated user to access files owned by another user on the same system. The issue is described as local, with low attack complexity and the attack requires l...

6.8CVSS6.1AI score0.00134EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago9 views

EUVD-2026-44974

During an internal security assessment, a potential improper access control vulnerability was discovered in Lenovo Smart Connect for Windows that could allow a local authenticated user to access files owned by a different user on the same system...

6.8CVSS6.1AI score0.00134EPSS
Exploits0References2
Rows per page
Query Builder