87127 matches found
CVE-2026-40620
A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted...
CVE-2026-40620 SenseLive X3050 Missing authentication for critical function
A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted...
CVE-2026-40620
SenseLive X3050 is affected by a network‑accessible vulnerability in its embedded management service that permits full administrative control without authentication or authorization. The issue enables any reachable host using a vendor or compatible client to modify critical configuration paramete...
actual 访问控制错误漏洞
Actual is a personal finance tool developed by Actual OpenSource. Versions of Actual prior to 26.4.0 contained an access control vulnerability. This vulnerability stemmed from the lack of authorization checks for the /account/change-password endpoint. Combined with the password authentication row...
PT-2026-34865
Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Broker versions prior to 5.19.6 Apache ActiveMQ Broker versions 6.0.0 through 6.2.4 Apache ActiveMQ All versions prior to 5.19.6 Apache ActiveMQ All versions 6.0.0 through 6.2.4 Apache ActiveMQ versions prior to 5.19.6 Apache...
PT-2026-35027
Name of the Vulnerable Software and Affected Versions AWS Ops Wheel affected versions not specified Description Missing JWT signature verification allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application. This enables the ability to read,...
Rclone 1.45.x < 1.73.5 Authentication Bypass (CVE-2026-41176)
The version of Rclone installed on the remote host is 1.45.x prior to 1.73.5. It is, therefore, affected by an authentication bypass vulnerability: - The RC endpoint options/set is exposed without AuthRequired, but it can mutate global runtime configuration, including the RC option block itself. ...
listmonk Admin Authentication / Password Flow Security Assessment Module
This Metasploit auxiliary module is a web application security testing tool designed to evaluate authentication and password management logic in a Listmonk admin panel deployment...
PT-2026-35060
Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.3 Description Dgraph exposes the process command line through the unauthenticated '/debug/vars' endpoint on Alpha. Since the admin token is often provided via the --security startup flag, an unauthenticated attack...
Mahara 访问控制错误漏洞
Mahara is a free and open-source web-based electronic portfolio management system. Versions of Mahara before 24.04.10 and 25.04.1 contained an access control vulnerability. This vulnerability could allow institutional administrators or support administrators on multi-technology sites to impersona...
PT-2026-34874
AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...
CVE-2025-67259
Affects ClassroomIO v0.1.13. A Broken Access Control vulnerability allows an authenticated low-privilege student to access unauthorized course information by altering intercepted API requests. Specifically, changing a captured POST request to a GET against the /rest/v1/course PostgREST endpoint e...
PT-2026-35028
Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...
CVE-2025-67259
A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API requests. Changing a captured POST request to a GET request against the /rest/v1/course PostgREST...
PT-2026-34810
Name of the Vulnerable Software and Affected Versions SenseLive X3050 affected versions not specified Description The embedded management service in the SenseLive config application lacks authentication and authorization. This allows any reachable host to establish full administrative control and...
SimpleHelp Path Traversal Vulnerability
SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file i.e. zip slip. This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user...
SimpleHelp Missing Authorization Vulnerability
SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role...
CVE-2026-40431 SenseLive X3050 Cleartext transmission of sensitive information
A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is transmitted in cleartext, an attacker with access to the same...
CVE-2026-35503 SenseLive X3050 Use of Hard-coded Credentials
A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these...
CVE-2026-35503
A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these...