CVE-2026-44224

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without...

CVE-2026-44224 Wiki.js: Privilege Escalation via Missing Group Validation in users.update

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without...

GHSA-RHCG-3H8R-V6VP Umbraco Affected by Vertical Privilege Escalation via Missing Authorization Checks

Description A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group membership...

CVE-2019-25344

Wondershare MobileGo 8.5.0 contains an insecure file permissions vulnerability that allows local users to modify executable files in the application directory. Attackers can replace the original MobileGo.exe with a malicious executable to create a new user account and add it to the Administrators...

CVE-2025-65094

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, bu...

CVE-2025-65094 WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation (IDOR)

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, bu...

Siemens 多款产品 安全漏洞

SIMATIC RTLS Locating Manager is used to configure, operate and maintain the SIMATIC RTLS unit, a real-time wireless positioning system that provides locating solutions. Siemens SIMATIC RTLS Locating Manager suffers from an incorrect assignment of critical resource privileges vulnerability, which...

Abusing the DHCP Administrators Group to Escalate Privileges in Windows Domains

...

PT-2022-26026 · Delta Electronics · Infrasuite Device Master

Name of the Vulnerable Software and Affected Versions: Delta Electronics InfraSuite Device Master versions 00.00.01a and prior Description: The issue concerns a lack of proper authentication for functions that create and modify user groups. An attacker could exploit this by providing malicious...

Delta Electronics InfraSuite Device Master 访问控制错误漏洞

Delta Electronics InfraSuite Device Master is used to simplify and automate critical device monitoring by Delta Electronics of Taiwan, China. An access control error vulnerability exists in versions prior to Delta Electronics InfraSuite Device Master 00.00.01a, which stems from a lack of proper...

CVE-2022-43400

A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 All versions V22.2a 80. The mobile server component of affected applications improperly handles the log in for Active Directory accounts that are part of Administrators group. This could allow an unauthenticated remot...

Design/Logic Flaw

A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 All versions V22.2a 80. The mobile server component of affected applications improperly handles the log in for Active Directory accounts that are part of Administrators group. This could allow an unauthenticated remot...

Siemens Siveillance Video Mobile Server 授权问题漏洞

Siveillance Video formerly known as SiveillanceVMS is a utility IP video management software for deployments ranging from small and simple to large and highly secure. An authentication bypass vulnerability exists in Siemens Siveillance Video Mobile Server due to the mobile server component of the...

Siemens Siveillance Video Mobile Server Authentication Bypass Vulnerability

Siveillance Video formerly known as SiveillanceVMS is a utility IP video management software for deployments ranging from small and simple to large and highly secure. An authentication bypass vulnerability exists in Siemens Siveillance Video Mobile Server due to the mobile server component of the...

PT-2022-5189 · Unknown · Siveillance Video Mobile Server

Name of the Vulnerable Software and Affected Versions: Siveillance Video Mobile Server versions prior to V22.2a 80 Description: A vulnerability has been identified in the mobile server component of Siveillance Video Mobile Server, which improperly handles logins for Active Directory accounts that...

CVE-2022-43400

A vulnerability has been identified in Siveillance Video Mobile Server V2022 R2 All versions V22.2a 80. The mobile server component of affected applications improperly handles the log in for Active Directory accounts that are part of Administrators group. This could allow an unauthenticated remot...

Bifrost 授权问题漏洞

Bifrost is brokercap individual developers for production environments for MySQL, MariaDB synchronization to Redis, ClickHouse, Elasticsearch and other services, heterogeneous middleware . A security vulnerability exists in Bifrost versions prior to 1.8.8. An attacker exploiting this vulnerabilit...

PEEL Shopping CMS SQL注入漏洞

PEEL Shopping CMS is a shopping platform. A SQL injection vulnerability exists in PEEL Shopping CMS version 9.4.0, which stems from a lack of filtering of SQL data in utilisateurs.php. An attacker belonging to the Administrators group can inject malicious SQL queries to affect the application's...

SpoolFool

This is a code analysis of the AddUser repository. Classification: Exploit module/toolkit targeting Windows systems. Primary CVE ID: Not explicitly stated, but the code appears to be related to the exploitation of a vulnerability in the Windows NetAPI32 library. Target product/service: Windows...

Exploit for CVE-2021-1675

CVE-2021-1675 - PrintNightmare LPE PowerShell Caleb Stewa...