EUVD-2026-31345

LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...

CVE-2026-20209 Cisco Catalyst SD-WAN Manager Privilege Escalation Vulnerability

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low to high and perform actions as a high-privileged user. This vulnerability exists because sensitive...

CVE-2026-28788 Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint performs no ownership check, so a...

CVE-2026-27591

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

Microsoft Azure Entra ID 安全漏洞

Microsoft Azure Entra ID is a cloud-based identity and access management service provided by Microsoft Corporation in the United States. There are security vulnerabilities associated with Microsoft Azure Entra ID. Attackers can exploit these vulnerabilities to gain higher levels of access...

SAP NetWeaver AS ABAP Missing Authorization Check (3674774)

The version of SAP NetWeaver Application Server ABAP detected on the remote host is affected by a missing authorization check vulnerability as disclosed in the SAP Security Patch Day February 2026: - SAP NetWeaver Application Server ABAP and ABAP Platform is affected by a missing authorization...

CVE-2023-40176

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a drop...

CVE-2019-12617

In SilverStripe through 4.3.3, there is access escalation for CMS users with limited access through permission cache pollution...

CVE-2025-69203 Signal K Server Vulnerable to Access Request Spoofing

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against...

CVE-2025-66429

An issue was discovered in cPanel 110 through 132. A directory traversal vulnerability within the Team Manager API allows for overwrite of an arbitrary file. This can allow for privilege escalation to the root user...

CVE-2025-66223

OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...

EUVD-2019-0967

Malware in sbrugna...

EUVD-2018-9695

Malware in sbrugna...

EUVD-2021-18868

Malware in sbrugna...

EUVD-2020-2734

Malware in sbrugna...

EUVD-2019-0733

Malware in sbrugna...

EUVD-2022-36982

Malicious code in bioql PyPI...

EUVD-2025-14826

Malicious code in bioql PyPI...

EUVD-2022-35699

Malicious code in bioql PyPI...

CVE-2019-14400

cPanel before 78.0.18 allows local users to escalate to root access because of userdata cache misparsing SEC-479...