CVE-2026-44832 Snipe-IT: Privilege Escalation via API Permissions Assignment

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/id with permissionsadmin=1. The API controller only strips the superuser key from the...

Snipe-IT has Privilege Escalation via API Permissions Assignment

Impact An authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/id with permissionsadmin=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the YAML metadata parsing process. An attacker can cause excessive memory consumption and potentially trigger an out-of-memory condition on the server by uploading a crafted image ...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the YAML metadata parsing process. An attacker can cause excessive memory consumption and potentially trigger an out-of-memory condition on the server by uploading a crafted image ...

Decidim 安全漏洞

Decidim is an open-source participatory democracy framework developed using Ruby on Rails. Versions of Decidim from 0.0.1 to 0.30.5 and 0.31.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of permission checks for the commentable fields in the API, which could...

FreePBX 安全漏洞

FreePBX formerly known as Asterisk Management Portal is a set of tools developed by the FreePBX project, designed to configure Asterisk an IP telephony system through a GUI graphical web-based interface. Versions of FreePBX prior to 17.0.5 and 16.0.17 contained security vulnerabilities. These...

Keycloak security vulnerabilities

Keycloak is an open-source identity and access management solution developed by Keycloak. There is a security vulnerability in Keycloak, which stems from improper control of administrator API permissions. This vulnerability may allow restricted administrators to retrieve sensitive user attributes...

CVE-2019-20887

An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts...

EUVD-2019-11424

Malware in sbrugna...

EUVD-2024-41439

Malicious code in bioql PyPI...

EUVD-2022-24803

Malicious code in bioql PyPI...

CVE-2025-4128 Mattermost Guest User Information Disclosure Vulnerability

Mattermost versions 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/teamid...

CVE-2024-29200

Kimai is a web-based multi-user time-tracking application. The permission viewothertimesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the viewothertimesheet permission to true, on the frontend, users can only see timesheet...

CVE-2020-25191

Incorrect permissions are set by default for an API entry-point of a specific service, allowing a non-authenticated user to trigger a function that could reboot the CompactRIO Driver versions prior to 20.5 remotely...

CVE-2025-30155 Tuleap does not enforce read permissions on parent trackers in the REST API

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap does not enforce read permissions on parent trackers in the REST API. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742392651 and Tuleap Enterprise Edition 16.5-5 and 16.4-8...

PYSEC-2025-12

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Cross-site request forgery allows an unauthenticated attacker to hijack the authentication of a logged in user, and use the web API with the same permissions, including but not...

Information Disclosure

Mattermost is vulnerable to Information Disclosure.The vulnerability is due to insufficient API permissions enforcement, allowing team members to retrieve sensitive information without sufficient restrictions...

CVE-2024-45323

An improper access control vulnerability CWE-284 in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include...

CVE-2024-45323

An improper access control vulnerability CWE-284 in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include...

CVE-2024-45323

CVE-2024-45323 affects FortiEDR Manager API versions 6.0 through 6.2.2. The root cause is improper access control (CWE-284) that, in a shared environment, allows an authenticated admin with REST API permissions (restricted to a single organization) to access backend logs containing information re...