ZenML ZenML Server - Improper Authentication

ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/usernameorid/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. id: CVE-2024-25723 info:...

CVE-2026-39331

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the familyId parameter in requests, regardless of whether they possess the required EditRecords privilege...

EUVD-2026-15806

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

Mattermost doesn't properly validate CSRF tokens

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

CVE-2026-27659 CSRF vulnerability in UpdateAccessControlPolicyActiveStatus endpoint

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

WordPress AL Pack plugin unauthorized access vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. An unauthorized access vulnerability exists in the WordPress AL Pack plugin, which stems from a lack of functionality checking of the checkactivatepermission permission callback...

CVE-2025-7664

The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the checkactivatepermission permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.1.1. The callback reads the client-supplied...

WordPress plugin AL Pack 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. An unauthorized access vulnerability exists in the WordPress AL Pack plugin, which stems from a lack of functionality checking of the checkactivatepermission permission callback...

PT-2025-33530 · WordPress · Al Pack For Wordpress

Name of the Vulnerable Software and Affected Versions: AL Pack for WordPress versions up to and including 1.0.2 Description: The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check activate permission permission callback for the...

The vulnerability of the final point of the application programming interface /api/v1/users/{user_name_or_id}/activate, which is part of the Zenml machine learning pipeline creation framework, allows a violator to elevate their privileges.

The vulnerability of the final point of the application software interface/api/v1/users/usernameorid/activate function in the Zenml machine learning pipeline creation framework is related to deficiencies in the access control mechanism. Exploiting this vulnerability could allow an attacker to...

ZenML Security Vulnerability

ZenML is an extensible open source MLOps framework for creating portable, production-ready machine learning pipelines. A security vulnerability exists in ZenML versions prior to 0.46.7, which stems from the /api/v1/users/usernameorid/activate REST API endpoint allowing access based on a valid...