403 matches found
EUVD-2026-43002
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-12108
The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
PT-2026-56038
Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description A low-privileged staff account can grant arbitrary module permissions to itself, leading to persistent privilege escalation. A user possessing the staff.create and edit staff permission can call...
CVE-2026-14615
A flaw was found in the Fine-Grained Admin Permissions FGAP v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a...
CVE-2026-14614
The CVE-2026-14614 entry concerns Keycloak’s admin services, specifically the ClientResource component under FGAP v2. It describes a bypass where a delegated administrator can attach or remove hidden client scopes beyond their visibility/permission, potentially injecting unauthorized data or perm...
CVE-2026-14613
Technical details are not publicly available in the provided documents. Monitor for updates from Red Hat/NVD for affected Keycloak FGAP v2 integration and any patched versions.
CVE-2026-14613 Keycloak-services: keycloak-services: keycloak: fgap v2 role groups endpoint discloses hidden group metadata without group view permission
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions FGAP v2 are turned on, an administrator who is allowed to see a specific "role" can...
CVE-2026-14613
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions FGAP v2 are turned on, an administrator who is allowed to see a specific "role" can...
PT-2026-55550
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the ClientResource component of the admin services when Fine-Grained Admin Permissions FGAP v2 is enabled. This issue allows a delegated administrator with limited control...
CVE-2026-53905
CVE-2026-53905 affects MCO, with confirmation in version 25.3.3.1. The issue is an insufficient authorization enforcement in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint, allowing an authenticated, low-privileged user to retrieve administrator access contr...
CVE-2026-14209 Keycloak-admin-ui: keycloak-admin-ui:admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions FGAPv2 are enabled, an administrator who should only be able to search for users but not view their full details can use a...
CVE-2026-14209
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions FGAPv2 are enabled, an administrator who should only be able to search for users but not view their full details can use a...
keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement
A flaw was found in Keycloak's Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security...
CVE-2026-9099
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
CVE-2026-48493 Snipe-IT Vulnerable to Privilege Escalation for self via API Permissions Assignment
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/theirownid and grant themselves any permission except admin and superuser — for example assets.view, assets.create, reports.view, import, etc. The issue is...
FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions
Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators. Details The Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications. As a...
CVE-2026-11577
...
PT-2026-47283
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description An improper access control flaw exists where a limited administrator can bypass Fine-Grained Admin Permissions FGAP, which are detailed permissions that restrict administrative actions to...
PT-2026-47559
Summary An authorization issue in the Scheduler API allowed authenticated non-admin users to create or modify scheduled actions that should be restricted to administrators. Details The Scheduler API did not correctly enforce administrator permissions when processing scheduler modifications. As a...
CVE-2026-9809
A stored Cross-Site Scripting XSS vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views such as campaigns, emails, or forms, user-supplied project names are rendered without proper sanitization. An authenticated user...