Lucene search
+L

113 matches found

Github Security Blog
Github Security Blog
added 2026/05/23 12:16 a.m.23 views

Arcane: Missing admin authorization on global variables endpoint

Summary The PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token...

8.8CVSS6AI score0.00245EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/23 12:16 a.m.45 views

GHSA-JPJH-JM2P-39HH Arcane: Missing admin authorization on global variables endpoint

Summary The PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token...

8.8CVSS6AI score0.00245EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/23 12:0 a.m.20 views

PT-2026-42873

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.19.2 Description The "PUT /api/environments/id/templates/variables" endpoint, used to write the system-wide .env.global file for variable substitution in project compose files, lacks an admin authorization check. Any...

8.8CVSS6.5AI score0.00245EPSS
Exploits0References10
NVD
NVD
added 2026/05/15 9:16 a.m.37 views

CVE-2026-7563

The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it...

4.3CVSS0.00265EPSS
Exploits0References14
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.12 views

WordPress plugin Classified Listing – AI-Powered Classified ads & Business Directory Plugin 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

4.3CVSS5.9AI score0.00265EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 5:29 p.m.35 views

CVE-2026-42303 Fides: Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection

Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was...

6.1CVSS0.00313EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/24 5:29 a.m.9 views

CVE-2026-5347

The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admininit hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php...

5.3CVSS5.8AI score0.00323EPSS
Exploits0References7
NVD
NVD
added 2026/04/22 9:17 p.m.5 views

CVE-2026-40937

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...

8.3CVSS0.00293EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/22 8:15 p.m.3 views

CVE-2026-40937 RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...

8.3CVSS5.7AI score0.00293EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/22 8:15 p.m.4 views

CVE-2026-40937

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...

8.3CVSS5.7AI score0.00293EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/22 8:15 p.m.2 views

CVE-2026-40937 RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...

8.3CVSS5.9AI score0.00293EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/22 7:24 p.m.5 views

EUVD-2026-25092

RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks...

8.3CVSS5.8AI score0.00293EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/22 7:24 p.m.8 views

RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks

Missing Admin Auth on Notification Target Endpoints in RustFS Finding Summary All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any admin-action...

8.3CVSS5.7AI score0.00293EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/14 11:12 p.m.9 views

WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials

Summary objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not verify a globalToken, and does not validate the Origin/Referer...

8.3CVSS5.9AI score0.00173EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/10 7:40 p.m.10 views

Ech0: Missing authorization on dashboard log endpoints allows low-privilege users to access sensitive system logs

Summary Ech0 allows any authenticated user to read historical system logs and subscribe to live log streams because the dashboard log endpoints validate only that a JWT is present and valid, but do not require an administrator role or privileged scope. Impact Any valid user session can access GET...

5.8AI score
Exploits0References3Affected Software1
NVD
NVD
added 2026/04/10 5:17 p.m.10 views

CVE-2026-35620

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...

5.4CVSS0.00442EPSS
Exploits1References6
EUVD
EUVD
added 2026/04/10 4:3 p.m.8 views

EUVD-2026-21432

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...

5.4CVSS5.9AI score0.00442EPSS
Exploits1References6
ATTACKERKB
ATTACKERKB
added 2026/04/10 4:3 p.m.5 views

CVE-2026-35620

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...

5.4CVSS5.9AI score0.00442EPSS
Exploits1References7
Vulnrichment
Vulnrichment
added 2026/04/10 4:3 p.m.3 views

CVE-2026-35620 OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...

5.4CVSS5.9AI score0.00442EPSS
Exploits1References6
EUVD
EUVD
added 2026/04/07 3:30 p.m.8 views

EUVD-2026-19694

An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N 5.8 Medium. This issue was fix...

5.8CVSS5.8AI score0.00191EPSS
Exploits0References3
Rows per page
Query Builder