CVE-2026-34458 Sandboxie-Plus privilege escalation via INI CRLF injection bypassing EditAdminOnly

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions EditAdminOnly and ConfigPassword and inject arbitrary directives into the global...

Incorrect Authorization

Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the operator.write message-tool. An attacker can modify persistent Matrix profile configuration without proper authorization by sending crafted requests...

CVE-2026-24907

October is a Content Management System CMS and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting XSS vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing,...

CVE-2026-4925

Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication MFA configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6 to 2026.1.11 contained security vulnerabilities. These vulnerabilities were...

PT-2026-29539

Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication MFA configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11...

Improper Privilege Management

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Privilege Management through the /allowlist process. An attacker can escalate privileges by using an authenticated gateway client with operator.write scope to persist unauthorize...

CVE-2025-10731

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the allReminderSettings function. This makes it possible for...

CVE-2025-65669

An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction...

CVE-2025-65669

Summary: CVE-2025-65669 affects classroomio 0.1.13, where student accounts can delete courses from the Explore page without authorization, bypassing admin-only checks. Root cause (as described): missing authorization checks in the delete path. Impact: potential unauthorized course deletion with h...

CVE-2025-65669

An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction...

EUVD-2020-17748

Malware in sbrugna...

PT-2025-25278 · Unknown · Kicode111 Like-Girl

Name of the Vulnerable Software and Affected Versions: kiCode111 like-girl version 5.2.0 Description: A critical vulnerability has been found in the unknown functionality of the file /admin/ImgAddPost.php. The manipulation of the argument imgDatd/imgText/imgUrl leads to SQL injection. The attack...

CVE-2025-2570

Mattermost versions 10.5.x = 10.5.3, 9.11.x = 9.11.11 fail to check RestrictSystemAdmin setting if user doesn't have access to ExperimentalSettings which allows a System Manager to access ExperimentSettings when RestrictSystemAdmin is true via System Console...

Nextcloud: Easy way to create a new Deck board without permission

A vulnerability was discovered that allowed users to create new boards without permission. The vulnerability involved cloning an existing board and renaming it, bypassing the restrictions set by the admin to limit board creation to specific groups...

CVE-2023-20955

In onPrepareOptionsMenu of AppInfoDashboardFragment.java, there is a possible way to bypass admin restrictions and uninstall applications for all users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User...

Design/Logic Flaw

In onPrepareOptionsMenu of AppInfoDashboardFragment.java, there is a possible way to bypass admin restrictions and uninstall applications for all users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User...

CVE-2023-20955

In onPrepareOptionsMenu of AppInfoDashboardFragment.java, there is a possible way to bypass admin restrictions and uninstall applications for all users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User...

ASB-A-258653813

In onPrepareOptionsMenu of AppInfoDashboardFragment.java, there is a possible way to bypass admin restrictions and uninstall applications for all users due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User...

Publify `guest` role users can self-register even when the admin does not allow it

In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. guest role users can self-register even when the admin does not allow it. This happens due to front-end restriction only...