Pelican Web UI Affected by a Privilege Escalation Attack

Background On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface WebUI for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any...

EUVD-2026-16732

AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php...

PT-2026-28621

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0 Description AVideo is an open source video platform. The categories.json.php endpoint, which serves the category listing API, does not properly enforce user group-based access controls on categories...

PT-2025-3199 · Couchbase · Couchbase Server

Name of the Vulnerable Software and Affected Versions: Couchbase Server versions 7.6.x through 7.6.3 Description: An issue was discovered that allows a user with the security admin local role to create a new user in a group that has the admin role. This is related to incorrect permission storage...

Siemens RUGGEDCOM CROSSBOW 安全漏洞

An access control error vulnerability exists in Siemens RUGGEDCOM CROSSBOW, a secure access management solution designed to provide NERC CIP-compliant access to intelligent electronic devices, which stems from a failure of the affected application's client-side query handler to check for...

CVE-2021-43946

Affected versions of Atlassian Jira Server and Data Center allow authenticated remote attackers to add administrator groups to filter subscriptions via a Broken Access Control vulnerability in the /secure/EditSubscription.jspa endpoint. The affected versions are before version 8.13.21, and from...

CVE-2016-0381

IBM Cognos TM1 10.2.2 before FP5, when the host/pmhub/pm/admin AdminGroups setting is empty, allows remote authenticated users to cause a denial of service configuration outage via a non-empty value...

DEBIAN-CVE-2016-2860

The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID...

UBUNTU-CVE-2016-2860

The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID...

IBM OpenAFS ptserver elevation of privilege vulnerability

IBM OpenAFS is a distributed file system from IBM in the United States that allows sharing of files and resources between systems over LANs and WANs. A security vulnerability exists in IBM OpenAFS versions prior to 1.6.17 in ptserver. An attacker could exploit the vulnerability to create arbitrar...

Code injection

SilverStripe 2.3.x before 2.3.12 and 2.4.x before 2.4.6 allows remote authenticated users with the EDITPERMISSIONS permission to gain administrator privileges via a TreeMultiselectField that includes admin groups when adding a user to the selected groups...

WebsiteBaker 2.8.1 Path Disclosure / SQL Injection

=================================== Vulnerability ID: HTB22929 Reference: http://www.htbridge.ch/advisory/multiplepathdisclosureinwebsitebaker.html Product: WebsiteBaker Vendor: Website Baker Org http://www.websitebaker2.org/ Vulnerable Version: 2.8.1 Vendor Notification: 29 March 2011...