Lucene search
K

63 matches found

OSV
OSV
added 2026/04/04 6:41 a.m.5 views

GHSA-W48F-WWWF-F5FR pyLoad: Improper Neutralization of Special Elements used in an OS Command

Summary The ADMINONLYOPTIONS protection mechanism restricts security-critical configuration values reconnect scripts, SSL certs, proxy credentials to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an...

8.8CVSS6.4AI score0.00815EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/04 6:41 a.m.6 views

pyLoad: Improper Neutralization of Special Elements used in an OS Command

Summary The ADMINONLYOPTIONS protection mechanism restricts security-critical configuration values reconnect scripts, SSL certs, proxy credentials to admin-only access. However, this protection is only applied to core config options, not to plugin config options. The AntiVirus plugin stores an...

8.8CVSS6.4AI score0.00815EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/04 12:0 a.m.8 views

PT-2026-30340

Name of the Vulnerable Software and Affected Versions pyLoad affected versions not specified Description The ADMIN ONLY OPTIONS protection mechanism, intended to restrict access to sensitive configuration values, is not applied to plugin configuration options. Specifically, the AntiVirus plugin...

8.8CVSS6.3AI score0.00815EPSS
Exploits1References11
OSV
OSV
added 2026/03/31 11:57 p.m.2 views

GHSA-5H2W-QMFP-GGP6 OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

Summary The chat.send path let authorized write-scoped callers persist /verbose session overrides even though the same stored session mutation is admin-only through sessions.patch. Impact A write-scoped gateway caller could persist verbose output for later runs and expose more reasoning or tool...

5.4CVSS5.9AI score0.00209EPSS
Exploits0References5
OSV
OSV
added 2026/03/13 9:22 p.m.7 views

CVE-2026-32715 AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...

3.8CVSS5.8AI score0.00198EPSS
Exploits1References4
OSV
OSV
added 2026/03/13 3:48 p.m.3 views

GHSA-JF6W-M8JW-JFXC OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`

Summary In affected versions of openclaw, a gateway caller with operator.write could issue agent requests containing /new or /reset and reach the same reset path used by the admin-only sessions.reset RPC. Impact On gateways where a caller is intentionally granted operator.write but not...

6.1CVSS5.8AI score
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/19 11:23 p.m.3 views

CVE-2026-27008 OpenClaw hardened the skill download target directory validation

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in download skill installation allowed targetDir values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only skills.install flow, this could write files outside t...

6.8CVSS5.5AI score0.00166EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/12/17 4:4 p.m.12 views

CVE-2025-14432

In limited scenarios, sensitive data might be written to the log file if an admin uses Microsoft Teams Admin Center TAC to make device configuration changes. The affected log file is visible only to users with admin credentials. This is limited to Microsoft TAC and does not affect configuration...

8.1CVSS6.7AI score0.00344EPSS
Exploits0References1
NVD
NVD
added 2025/10/24 10:15 a.m.5 views

CVE-2025-5350

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery SSRF. Additionally, the...

5.9CVSS0.00583EPSS
Exploits0References1
OSV
OSV
added 2025/10/24 10:15 a.m.5 views

CVE-2025-5350

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery SSRF. Additionally, the...

4.8CVSS5.5AI score
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/10/24 10:8 a.m.5 views

CVE-2025-5350 SSRF and Reflected XSS Vulnerability in Deprecated Try-It Feature of Multiple WSO2 Products

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery SSRF. Additionally, the...

5.9CVSS5.2AI score0.00583EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/10/15 12:0 a.m.9 views

PT-2025-42234

Name of the Vulnerable Software and Affected Versions Dahua embedded products affected versions not specified Description A security issue exists in Dahua embedded products. An attacker gaining normal user credentials can potentially access data restricted to administrator privileges, including...

6.8CVSS6.2AI score0.00275EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2025/10/07 5:35 p.m.3 views

CVE-2025-61777

Flag Forge is a Capture The Flag CTF platform. Starting in version 2.0.0 and prior to version 2.3.2, the /api/admin/badge-templates GET and /api/admin/badge-templates/create POST endpoints previously allowed access without authentication or authorization. This could have enabled unauthorized user...

9.4CVSS6.9AI score0.00434EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2019-7629

Malware in sbrugna...

5.4CVSS5.5AI score0.01647EPSS
Exploits2References6
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2017-18313

Malware in sbrugna...

6.5CVSS6.6AI score0.0063EPSS
Exploits1References3
Hacker One
Hacker One
added 2025/10/05 2:15 p.m.13 views

Lovable VDP: Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable AI)

The API endpoint /workspaces//tool-preferences/aigateway/enable did not enforce proper authorization checks. As a result, an account with the Editor role was able to disable the workspace-wide admin-only Lovable AI feature, which powers key AI functionalities across the workspace...

6.9AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/08/20 3:28 a.m.8 views

CVE-2025-9103

A vulnerability was detected in ZenCart 2.1.0. Affected by this vulnerability is an unknown functionality of the component CKEditor. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The real existenc...

4.8CVSS6.5AI score0.00246EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2024/12/30 12:0 a.m.4 views

PT-2024-17909 · Softiron · Softiron Hypercloud

Name of the Vulnerable Software and Affected Versions: SoftIron HyperCloud versions 2.3.0 through 2.4.x Description: An issue exists where authenticated, but non-admin users can create data pools, potentially impacting the performance and availability of the backend software-defined storage...

4.8CVSS7.2AI score0.0041EPSS
Exploits0References6
NVD
NVD
added 2024/08/01 7:15 a.m.19 views

CVE-2024-5678

Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature...

4.7CVSS0.0255EPSS
Exploits0References1
CVE
CVE
added 2024/08/01 6:54 a.m.54 views

CVE-2024-5678

CVE-2024-5678 affects Zoho ManageEngine Applications Manager versions 17.0900 and earlier. The vulnerability is an authenticated admin‑only SQL Injection in the Create Monitor feature, introduced by the underlying input handling in that function. Exploitation requires admin access, with no user i...

4.7CVSS5.4AI score0.0255EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder