Lucene search
+L

248861 matches found

NVD
NVD
added 22 minutes ago1 views

CVE-2026-48010

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...

6.5CVSS0.00034EPSS
Exploits0References5
NVD
NVD
added 22 minutes ago1 views

CVE-2026-48008

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync; the regular integration endpoint POST...

6.5CVSS0.00034EPSS
Exploits0References5
NVD
NVD
added 22 minutes ago1 views

CVE-2026-48009

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...

6.8CVSS0.00034EPSS
Exploits0References6
Cvelist
Cvelist
added 41 minutes ago4 views

CVE-2026-48009 Shopware: Admin Account Takeover via User Recovery Hash Exposure

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...

6.8CVSS0.00034EPSS
Exploits0References6
CVE
CVE
added 41 minutes ago21 views

CVE-2026-48009

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a low-privilege admin user with userrecovery:read ACL can take over any admin account by triggering POST /api/action/user/user-recovery, reading the password recovery hash through POST /api/search/user-recovery, and using PAT...

6.8CVSS5.3AI score0.00034EPSS
Exploits0References6
Cvelist
Cvelist
added 43 minutes ago4 views

CVE-2026-48014 Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...

6.5CVSS0.00041EPSS
Exploits0References5
Cvelist
Cvelist
added 44 minutes ago3 views

CVE-2026-48010 Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...

6.5CVSS0.00034EPSS
Exploits0References5
CVE
CVE
added 44 minutes ago20 views

CVE-2026-48010

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...

6.5CVSS5.3AI score0.00034EPSS
Exploits0References5
Cvelist
Cvelist
added 52 minutes ago3 views

CVE-2026-48008 Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync; the regular integration endpoint POST...

6.5CVSS0.00034EPSS
Exploits0References5
CVE
CVE
added 52 minutes ago20 views

CVE-2026-48008

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync; the regular integration endpoint POST...

6.5CVSS5.4AI score0.00034EPSS
Exploits0References5
NVD
NVD
added 1 hour ago3 views

CVE-2026-63307

Chat2DB before 5.3.0 contains an insecure direct object reference vulnerability in the GET /api/connection/datasource/id endpoint. The handler calls dataSourceService.queryExistentid, ... without an ownership check and returns the decrypted password field, allowing any authenticated non-admin use...

7.1CVSS
Exploits0References3
NVD
NVD
added 1 hour ago6 views

CVE-2026-21760

HCL DevOps Loop is affected by an Unauthorized Access to Admin Functionality Forced Browsing vulnerability. Improper authorization checks may allow unauthorized users to access restricted administrative functionality by directly accessing protected application endpoints...

4.6CVSS
Exploits0References1
NVD
NVD
added 1 hour ago3 views

CVE-2026-16106

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can...

4.9CVSS
Exploits0References2
The Hacker News
The Hacker News
added 1 hour ago4 views

New NadMesh Botnet Hunts Exposed AI Services for Cloud Keys and Kubernetes Tokens

A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys. A Shodan harvester keeps the scan queue stocked with ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio: the image generators, local model runners, an...

5.7AI score
Exploits0
ATTACKERKB
ATTACKERKB
added 1 hour ago3 views

CVE-2026-21760

HCL DevOps Loop is affected by an Unauthorized Access to Admin Functionality Forced Browsing vulnerability. Improper authorization checks may allow unauthorized users to access restricted administrative functionality by directly accessing protected application endpoints...

4.6CVSS5.3AI score
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 1 hour ago4 views

CVE-2026-21760 Unauthorized Access to Admin Functionality via Forced Browsing

HCL DevOps Loop is affected by an Unauthorized Access to Admin Functionality Forced Browsing vulnerability. Improper authorization checks may allow unauthorized users to access restricted administrative functionality by directly accessing protected application endpoints...

4.6CVSS5.2AI score
Exploits0References1
Cvelist
Cvelist
added 1 hour ago7 views

CVE-2026-21760 Unauthorized Access to Admin Functionality via Forced Browsing

HCL DevOps Loop is affected by an Unauthorized Access to Admin Functionality Forced Browsing vulnerability. Improper authorization checks may allow unauthorized users to access restricted administrative functionality by directly accessing protected application endpoints...

4.6CVSS
Exploits0References1
CVE
CVE
added 1 hour ago6 views

CVE-2026-21760

CVE-2026-21760 affects HCL DevOps Loop with an unauthorized access via forced browsing. The root cause is improper authorization checks that permit direct access to protected admin endpoints. CVSSv3.1 metrics indicate Network attack vector, Low privileges required, User interaction required, with...

4.6CVSS5.3AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 1 hour ago4 views

CVE-2026-16106 Keycloak-services: keycloak-services: incorrect authorization in admin role-composite deletion allows delegated admin to remove privileged child roles

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can...

4.9CVSS5.3AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 1 hour ago2 views

CVE-2026-16106

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can...

4.9CVSS5.3AI score
Exploits0References3
Rows per page
Query Builder