Lucene search
+L

1592 matches found

EUVD
EUVD
added yesterday5 views

EUVD-2026-45240

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...

6.5CVSS5.4AI score0.00034EPSS
Exploits0References5
CVE
CVE
added yesterday8 views

CVE-2025-59866

The CVE concerns HCL DFMPro, DFXAnalytics, and DFXServer installers suffering from Insecure file permissions that allow a logged-in non-administrative user to overwrite or replace the executable with a malicious binary. The underlying cause is unrestricted or insecure permissions on the installer...

3.3CVSS5.4AI score
Exploits0References1
Cvelist
Cvelist
added yesterday35 views

CVE-2025-59866

The HCL DFMPro, DFXAnalytics and DFXServer installers are affected by ‘Insecure file permissions Leading to Privilege Escalation’ vulnerability, which enables any logged-in non-administrative user to overwrite or replace the executable file with a malicious binary...

3.3CVSS
Exploits0References1
Positive Technologies
Positive Technologies
added yesterday7 views

PT-2026-60832

The HCL DFMPro, DFXAnalytics and DFXServer installers are affected by ‘Insecure file permissions Leading to Privilege Escalation’ vulnerability, which enables any logged-in non-administrative user to overwrite or replace the executable file with a malicious binary...

3.3CVSS5.3AI score
Exploits0References2
OSV
OSV
added 2 days ago4 views

CVE-2026-63085 Axelor Open Platform 8.x < 8.2.2 Authorization Bypass via Nested Relational Record Persistence

Axelor Open Platform versions 8.x prior to 8.2.2 contains an authorization bypass vulnerability that allows authenticated non-admin users to escalate privileges by exploiting unenforced field restrictions on nested relational save operations. Attackers can modify sensitive User record fields such...

8.7CVSS6.1AI score0.00371EPSS
Exploits0References6
NVD
NVD
added 5 days ago3 views

CVE-2026-58410

ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another...

7.1CVSS0.00174EPSS
Exploits0References1
Snyk
Snyk
added 2026/07/10 8:32 p.m.6 views

Incorrect Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the BulkUsersController::destroy process. An attacker can gain unauthorized ability to soft-delete other non-admin users by sending a direct POST...

7.1CVSS6.1AI score0.00285EPSS
Exploits1References2
NVD
NVD
added 2026/07/10 5:17 p.m.9 views

CVE-2026-59190

grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...

8.7CVSS0.00215EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/30 3:52 p.m.9 views

CVE-2026-58168 DeepTutor < 1.4.10 - Insecure Default Grants Unrestricted MCP Tool Access to Non-Admin Users

DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowedmcptools function returning None instead of a denied result when mcptools is omitted from a user's grant in...

8.8CVSS5.8AI score0.00412EPSS
Exploits0References4
CVE
CVE
added 2026/06/30 3:52 p.m.21 views

CVE-2026-58168

Vulnerability overview: DeepTutor prior to v1.4.10 contains an authorization bypass in which the allowed_mcp_tools function returns None instead of denying access when mcp_tools is omitted from a user’s grant in deeptutor/multi_user/tool_access.py. This enables low-privilege users, including thos...

8.8CVSS5.8AI score0.00412EPSS
Exploits0References4
NVD
NVD
added 2026/06/29 10:16 a.m.9 views

CVE-2026-13555

A vulnerability was found in itsourcecode Online Hotel Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/modusers/controller.php?action=add. The manipulation of the argument Name results in sql injection. The attack can be launched remotely. The exploi...

7.5CVSS0.00412EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/06/25 7:3 a.m.13 views

CVE-2026-56129

Generic IO & Memory Access driver for PCs provided by TOSHIBA CORPORATION and Dynabook Inc. exposes its IOCTL with insufficient access control. A logged-in user with no administrative privilege may access physical memory...

6.8CVSS5.8AI score0.00121EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/17 5:7 p.m.18 views

CVE-2026-20266 OS Command Injection in the btool Configuration Helper in Splunk AI Toolkit

In Splunk AI Toolkit versions below 5.7.4, a user who holds the "admin" Splunk role could execute arbitrary OS commands on the host running the Splunk Enterprise instance. The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which construct...

9.1CVSS0.00469EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 10:16 p.m.13 views

CVE-2026-47124

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users...

6.5CVSS0.0027EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 9:16 p.m.15 views

CVE-2026-54362

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or...

5.3CVSS0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 8:8 p.m.19 views

CVE-2026-54362

The CVE concerns MISP's event template builder where an incorrect visibility condition allowed authenticated non-site-admin users to see galaxies outside their organisation. The root cause is a PHP comparison expression used instead of a query condition, causing enabled galaxies, including organi...

5.3CVSS5.4AI score0.00207EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 8:8 p.m.9 views

CVE-2026-54362 MISP template builder exposes non-visible custom galaxies across organisations

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or...

5.3CVSS5.3AI score0.00207EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.21 views

PT-2026-48994

An incorrect visibility condition in the MISP event template builder allowed authenticated non-site-admin users to view galaxies that should not have been visible to their organisation. The custom access-control condition intended to restrict galaxies to those owned by the user’s organisation or...

5.3CVSS5.3AI score0.00207EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/10 6:0 a.m.13 views

EUVD-2026-35987

The Store Locator WordPress plugin before 1.6.6 does not sanitize and escape one of its settings before storing it and outputting it on the Store Locator WordPress plugin before 1.6.6 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks...

3.5CVSS5.5AI score0.00138EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.20 views

WordPress plugin Copy & Delete Posts 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

8.1CVSS5.4AI score0.00248EPSS
Exploits0References1
Rows per page
Query Builder