CVE-2026-42571 Privilege Escalation Attack affecting Pelican Web UI

Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface WebUI. This attack allows any user...

CVE-2026-42571

Pelican Web UI privilege escalation affects multiple series (7.21.x before 7.21.5, 7.22.x before 7.22.3, 7.23.x before 7.23.3, 7.24.x before 7.24.2). An authenticated WebUI user via OAuth can gain admin privileges under certain configurations. Patches are available in 7.21.5, 7.22.3, 7.23.3, and ...

CVE-2026-42571 Privilege Escalation Attack affecting Pelican Web UI

Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface WebUI. This attack allows any user...

CVE-2026-42562 Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

CVE-2026-42562 Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

CVE-2026-42562

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

EUVD-2026-28929

Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/id. The endpoint directly persists the admin attribute from user input, and the escalated accou...

CVE-2026-42562

Plainpad (self-hosted note-taking app) is affected prior to version 1.1.1. A low-privilege, authenticated user can escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}; the endpoint stores the admin attribute from user input, allowing immediate access to admin-only rou...

OESA-2026-2216 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

CVE-2026-8185

The CVE primarily affects UGREEN CM933 1.1.59.4319, where an unknown function in the Administrative Interface allows missing authentication. This vulnerability requires local-network proximity (attack vector Adjacent) and exposes confidentiality, integrity, and availability at Low impact per the ...

CVE-2026-8185 UGREEN CM933 Administrative missing authentication

A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected...

CVE-2026-8185

A security vulnerability has been detected in UGREEN CM933 1.1.59.4319. The impacted element is an unknown function of the component Administrative Interface. Such manipulation leads to missing authentication. The attack requires being on the local network. You should upgrade the affected...

CVE-2026-1749

There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission...

CVE-2026-1749

CVE-2026-1749 affects HikCentral Professional (some versions) with an Access Control vulnerability that could allow an unauthenticated user to obtain admin permissions. The NVD/Hikvision disclosures indicate the issue stems from inadequate access control, enabling elevated privileges and compromi...

CVE-2026-1749

There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission...

CVE-2026-1749

There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission...

CVE-2026-7652 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...

CVE-2026-7652

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the saveconnectedwordpressuser function propagating a LatePoint customer's email address to it...

CVE-2026-36458

ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cmscontent tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered...

CVE-2026-8128

A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made...