USN-8236-1: Slurm vulnerabilities

It was discovered that Slurm did not correctly handle certain file system operations. An attacker could possibly use this issue to modify files or leak sensitive information. This issue only affected Ubuntu 22.04 LTS. CVE-2023-41914 Ryan Hall discovered that Slurm did not correctly enforce certai...

PT-2026-30714

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/id lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to...

EUVD-2026-10354

Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR Insecure Direct Object Reference due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who...

EUVD-2025-31662

Malicious code in bioql PyPI...

CVE-2025-59950

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection confirmation dialog, it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button...

CVE-2025-59950

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection confirmation dialog, it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button...

CVE-2025-59950

FreshRSS

CVE-2025-59950 FreshRSS: Double clickjacking can lead to privilege escalation

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection confirmation dialog, it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button...

CVE-2025-59950 FreshRSS: Double clickjacking can lead to privilege escalation

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection confirmation dialog, it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button...

CVE-2025-59950 FreshRSS: Double clickjacking can lead to privilege escalation

FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.3 and below, due to a bypass of double clickjacking protection confirmation dialog, it is possible to trick the admin into clicking the Promote button in another user's management page after the admin double clicks on a button...

PT-2025-39920

Name of the Vulnerable Software and Affected Versions FreshRSS versions 1.26.3 and below Description FreshRSS is susceptible to a double clickjacking protection bypass. An attacker can trick an administrator into promoting themselves to "admin" and logging into other users' accounts. This is...

CVE-2024-8071

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to restrict which roles can promote a user as system admin which allows a System Role with edit access to the permissions section of system console to update their role e.g. member to include the managesystem...

PT-2024-38785 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 9.8.x through 9.8.2 Mattermost versions 9.5.x through 9.5.7 Mattermost versions 9.9.x through 9.9.1 Mattermost versions 9.10.x through 9.10.0 Description: The issue arises from the failure to restrict which roles can promo...