Lucene search
K

1651 matches found

Snyk
Snyk
added 6 days ago4 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the workflow approval process. An attacker can gain unauthorized access to protected resources or perform privileged actions by bypassing the intended approval gate through manipulation of permanent fork pull...

8.9CVSS5.9AI score0.00201EPSS
Exploits0References2
Snyk
Snyk
added 6 days ago4 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization in the workflow approval process. An attacker can gain unauthorized access to protected resources or perform privileged actions by bypassing the intended approval gate through manipulation of permanent fork pull...

8.9CVSS5.9AI score0.00201EPSS
Exploits0References2
NVD
NVD
added 6 days ago7 views

CVE-2026-58424

Permanent Fork PR Workflow Approval Gate Bypass...

8.9CVSS0.00201EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 6 days ago5 views

CVE-2026-58424

Permanent Fork PR Workflow Approval Gate Bypass...

8.9CVSS5.9AI score0.00201EPSS
Exploits0References5
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-58424 Permanent Fork PR Workflow Approval Gate Bypass

Permanent Fork PR Workflow Approval Gate Bypass...

8.9CVSS0.00201EPSS
Exploits0References4
CVE
CVE
added 6 days ago31 views

CVE-2026-58424

Technical details about CVE-2026-58424 are not publicly available in the provided documents. No product, vector, or impact specifics are included. Monitor for updates in official advisories.

8.9CVSS5.9AI score0.00201EPSS
Exploits0References4
NVD
NVD
added 6 days ago8 views

CVE-2026-9626

The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the postcomment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the postcomment function, which passes the attacker-controlled...

6.4CVSS0.00228EPSS
Exploits0References6
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-41490

The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the postcomment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the postcomment function, which passes the attacker-controlled...

6.4CVSS5.9AI score0.00228EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 6 days ago9 views

CVE-2026-9626

The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the postcomment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the postcomment function, which passes the attacker-controlled...

6.4CVSS5.9AI score0.00228EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 6 days ago9 views

PT-2026-55657

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A flaw exists that allows for a permanent fork pull request workflow approval gate bypass. This issue enables an attacker to circumvent the required approval...

8.9CVSS6AI score0.00201EPSS
Exploits0References7
OSV
OSV
added last week6 views

GHSA-CQWV-9QJX-VXW2 OpenClaw: Skill Workshop apply flow could override pending approval

Summary Skill Workshop apply flow could override pending approval. In affected versions, an agent tool call reaching the affected Skill Workshop apply path could set apply: true despite approvalPolicy: pending. This advisory is scoped to the named feature and configuration. It does not change...

5.3CVSS6AI score0.00194EPSS
Exploits0References2
OSV
OSV
added last week3 views

GHSA-83W9-H5WV-J9XM OpenClaw: Node pairing reconnection could confuse approval scope state

Summary Node pairing reconnection could confuse approval scope state. In affected versions, a paired or reconnecting node session could mutate pairing state in a way that changed the approval scope decision. This advisory is scoped to the named feature and configuration. It does not change...

7.6CVSS6AI score0.00221EPSS
Exploits0References2
OSV
OSV
added last week3 views

GHSA-MGQ6-VR84-7M2J OpenClaw: QQBot native approval buttons did not enforce configured approver identity

Summary OpenClaw's QQBot channel can deliver native approval buttons for exec and plugin approvals. In affected releases, the button callback path resolved approvals without enforcing the configured QQBot approver identity. The text command approval path used the authorization check; the issue wa...

8CVSS5.8AI score0.00199EPSS
Exploits0References4
OSV
OSV
added last week3 views

GHSA-2J8V-HWGC-X698 OpenClaw: Shell wrapper argv could change between approval and execution

Summary Shell wrapper argv could change between approval and execution. In affected versions, a command request using a shell wrapper form could approve one resolved argv shape and rebuild another for execution. This advisory is scoped to the named feature and configuration. It does not change...

8.7CVSS6AI score0.00982EPSS
Exploits0References2
OSV
OSV
added last week2 views

GHSA-XWW8-GQVH-92X9 OpenClaw: Exec approval display truncation could hide the command being approved

Summary OpenClaw exec approvals could show a shortened command in the approval UI while keeping the full original command for execution. For very long commands, an approver could see and approve a benign-looking prefix while a hidden suffix remained part of the command that would run after...

8CVSS5.8AI score0.00232EPSS
Exploits0References2
NVD
NVD
added 2026/07/01 7:16 a.m.7 views

CVE-2026-11887

The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new...

4.3CVSS0.00178EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 6:0 a.m.16 views

CVE-2026-11887

The CVE concerns the Salon Booking System WordPress plugin prior to 10.30.20. Affected component: an AJAX action without proper authorization checks, enabling any authenticated user (e.g., a subscriber) to modify the plugin’s settings and bypass manual approval of new bookings. Root cause: insuff...

4.3CVSS5.8AI score0.00178EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/01 6:0 a.m.39 views

CVE-2026-11887 Salon Booking System < 10.30.20 - Subscriber+ Booking Approval Bypass

The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new...

0.00178EPSS
Exploits0References1
CVE
CVE
added 2026/06/30 9:6 p.m.12 views

CVE-2026-58448

CVE-2026-58448 affects yudao-cloud (BPM module) prior to 2026.06. A broken access control flaw allows any authenticated user to read arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected GET endpoint that lacks the @PreAuthorize annotati...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References3
NVD
NVD
added 2026/06/30 5:16 p.m.7 views

CVE-2026-58370

Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name commit.author.name carried in the webhook payload, which is attacker-controlled and not verified by GitLab. A us...

9.2CVSS0.00546EPSS
Exploits0References4
Rows per page
Query Builder