Lucene search
+L

30246 matches found

NVD
NVD
added 2 days ago9 views

CVE-2026-48008

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync; the regular integration endpoint POST...

6.5CVSS0.00264EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago9 views

EUVD-2025-210480

The HCL DFMPro, DFXAnalytics and DFXServer installers are affected by ‘Insecure file permissions Leading to Privilege Escalation’ vulnerability, which enables any logged-in non-administrative user to overwrite or replace the executable file with a malicious binary...

3.3CVSS5.4AI score0.00074EPSS
Exploits0References1
NVD
NVD
added 2 days ago7 views

CVE-2026-16106

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can...

4.9CVSS0.00201EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago10 views

EUVD-2026-45224

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can...

4.9CVSS5.3AI score0.00201EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-16106 Keycloak-services: keycloak-services: incorrect authorization in admin role-composite deletion allows delegated admin to remove privileged child roles

A flaw was found in the admin REST API of Keycloak, a solution for identity and access management. The issue occurs when a delegated administrator attempts to remove a child role from a composite role. Due to missing authorization checks, an attacker with limited administrative permissions can...

4.9CVSS0.00201EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago9 views

EUVD-2026-45223

A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and...

4.3CVSS5.2AI score0.00183EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 days ago7 views

CVE-2026-16108

A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and...

4.3CVSS5.3AI score0.00183EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2 days ago8 views

CVE-2026-16108

A flaw was found in the default-groups REST endpoint and realm representation of Keycloak. This component is responsible for managing groups that are automatically assigned to new users within a realm. The issue allows a delegated administrator with realm-viewing permissions to see the names and...

4.3CVSS4.8AI score0.00183EPSS
Exploits0References3
NVD
NVD
added 2 days ago8 views

CVE-2026-16072

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface...

4.9CVSS0.00237EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-45173

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface...

4.9CVSS5.3AI score0.00237EPSS
Exploits0References2
NVD
NVD
added 2 days ago8 views

CVE-2026-15943

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS0.00207EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-45164

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS5.4AI score0.00207EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 days ago6 views

CVE-2026-15943

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS5.3AI score0.00207EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2 days ago9 views

CVE-2026-15943

A flaw was found in the Keycloak keycloak-services component, which handles the management of identity providers. The issue occurs when a delegated administrator updates an OIDC identity provider using a masked client secret sentinel value. Due to improper validation, Keycloak reuses the existing...

5.5CVSS5.3AI score0.00207EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-45153

A non-administrator interactive user can obtain full SYSTEM code execution through a DCOM/task scheduler logic chain — no network access, no memory corruption required ITMS 8.7.3...

5.1CVSS6.1AI score0.00127EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2 days ago7 views

CVE-2026-15380

A non-administrator interactive user can obtain full SYSTEM code execution through a DCOM/task scheduler logic chain — no network access, no memory corruption required ITMS 8.7.3...

5.1CVSS6.1AI score0.00127EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago39 views

CVE-2026-9810 AI Chatbot & Workflow Automation by AIWU < 1.5.4 - Unauthenticated Privilege Escalation via MCP OAuth

The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitra...

0.00277EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago10 views

EUVD-2026-45150

The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitra...

9.8CVSS5.6AI score0.00277EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2 days ago6 views

CVE-2026-11961

The User Registration & Membership WordPress plugin before 5.2.3 does not validate that the membership tier submitted during public registration is one of the tiers allowed by the registration form before assigning that tier's associated user role, allowing unauthenticated users to register into ...

5.4AI score0.00226EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2 days ago6 views

CVE-2026-9810

The AI Copilot WordPress plugin before 1.5.4 does not bind OAuth access tokens to a WordPress user, and accepts any valid token as an administrator session, allowing unauthenticated attackers who complete the public OAuth flow to execute privileged MCP tools as an administrator, including arbitra...

9.8CVSS5.6AI score0.00277EPSS
Exploits0References1
Rows per page
Query Builder