Lucene search
+L

275 matches found

NVD
NVD
added yesterday7 views

CVE-2026-62218

OpenClaw 2026.1.20 before 2026.5.27 contain an authorization bypass vulnerability in the device.pair.approve feature that allows lower-trust callers to bypass role-management checks. Attackers can perform actions requiring stronger authorization by reaching the affected feature through configured...

8.8CVSS0.00261EPSS
Exploits0References2
EUVD
EUVD
added yesterday7 views

EUVD-2026-45106

OpenClaw 2026.1.20 before 2026.5.27 contain an authorization bypass vulnerability in the device.pair.approve feature that allows lower-trust callers to bypass role-management checks. Attackers can perform actions requiring stronger authorization by reaching the affected feature through configured...

8.8CVSS6.1AI score0.00261EPSS
Exploits0References2
CVE
CVE
added yesterday9 views

CVE-2026-62218

OpenClaw 2026.1.20 before 2026.5.27 contains an authorization bypass in device.pair.approve, allowing lower-trust callers to bypass role-management checks and perform actions requiring stronger authorization via configured input paths. CVSS metrics show HIGH impact across confidentiality, integri...

8.8CVSS6.1AI score0.00261EPSS
Exploits0References2
Cvelist
Cvelist
added yesterday33 views

CVE-2026-62218 OpenClaw 2026.1.20 < 2026.5.27 Authorization Bypass via device.pair.approve

OpenClaw 2026.1.20 before 2026.5.27 contain an authorization bypass vulnerability in the device.pair.approve feature that allows lower-trust callers to bypass role-management checks. Attackers can perform actions requiring stronger authorization by reaching the affected feature through configured...

8.8CVSS0.00261EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-15641

Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review...

0.00224EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 4 days ago5 views

PT-2026-58676

Name of the Vulnerable Software and Affected Versions Devolutions Server version 2026.2.11 Devolutions Server version 2026.1.22 Description Improper authorization in the access request status endpoint allows an authenticated low-privileged user to approve their own pending access request. This is...

7.1CVSS5.3AI score0.00224EPSS
Exploits0References3
NVD
NVD
added 5 days ago6 views

CVE-2026-12396

The WP Job Portal WordPress plugin before 2.5.5 does not perform capability or ownership checks before allowing job moderation actions, allowing authenticated users with a subscriber-level self-registerable account to approve, feature, or reject arbitrary jobs, including those owned by other user...

5.4CVSS0.0017EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/10 4:3 p.m.6 views

CVE-2026-39903 Simple Machines Forum Authorization Bypass via AttachmentApprove.php

Simple Machines Forum 2.1 prior to commit 7d048f8 and 3.0 prior to commit a7875e8 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An...

7.1CVSS6.1AI score0.00333EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.17 views

PT-2026-55500

Name of the Vulnerable Software and Affected Versions JSON API User versions prior to 4.1.1 Description The JSON API User plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the post comment function fails to properly sanitize input, allowing the comment content...

6.4CVSS6.1AI score0.00228EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/05/28 5:32 p.m.10 views

CVE-2026-45311

CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the runtests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build...

9.6CVSS6.2AI score0.00375EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/25 2:15 p.m.11 views

CVE-2018-25370

Admidio 3.3.5 contains a cross-site request forgery vulnerability that allows low-privilege users to increase their permissions by exploiting improper origin checking. Attackers can craft malicious HTML forms targeting rolesfunction.php with parameters like rolassignroles, rolapproveusers, and...

6.9CVSS5.7AI score0.00192EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/22 1:58 p.m.7 views

CVE-2026-8340

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with editfilecontents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version downgrade to an older version of a file, or activation of a co-editor's unpublished version. The...

2.3CVSS5.8AI score0.00103EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/22 1:58 p.m.4 views

CVE-2026-8340 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with editfilecontents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version downgrade to an older version of a file, or activation of a co-editor's unpublished version. The...

2.3CVSS5.9AI score0.00103EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/22 12:31 a.m.13 views

EUVD-2026-31363

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file approveVersion. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

2.3CVSS5.8AI score0.00115EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/21 9:22 p.m.7 views

CVE-2026-8435 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion()

Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery CSRF at concrete/controllers/backend/file approveVersion. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N...

2.3CVSS5.8AI score0.00115EPSS
Exploits0References1
CVE
CVE
added 2026/05/21 9:22 p.m.25 views

CVE-2026-8435

Concrete CMS is affected: versions 9.0–9.4.x are vulnerable to Cross-Site Request Forgery in the approveVersion() endpoint located at concrete/controllers/backend/file. The issue is CSRF due to lack of proper request binding; exploitation would require user interaction. Remediation provided in so...

6.5CVSS5.8AI score0.00115EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2026/05/14 8:29 p.m.30 views

GHSA-72W5-PF8H-XFP4 DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

Summary The taskcreate tool spawns durable sub-agents that inherit two insecure defaults: - allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue - autoapprove defaults to true taskmanager.rs:297: autoapprove: Sometrue When a user approves a taskcreate call which requires...

9.6CVSS5.8AI score0.0026EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/14 8:29 p.m.12 views

DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

Summary The taskcreate tool spawns durable sub-agents that inherit two insecure defaults: - allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue - autoapprove defaults to true taskmanager.rs:297: autoapprove: Sometrue When a user approves a taskcreate call which requires...

9.6CVSS5.8AI score0.0026EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/28 6:10 p.m.4 views

CVE-2026-42426 OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope

OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to approve node pairing. Attackers with operator.write permissions can bypass pairi...

8.7CVSS5.9AI score0.00282EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/27 11:0 a.m.8 views

EUVD-2026-25831

A weakness has been identified in code-projects Employee Management System 1.0. Impacted is an unknown function of the file 370project/approve.php. Executing a manipulation of the argument id/token can lead to sql injection. The attack can be executed remotely. The exploit has been made available...

6.5CVSS5.5AI score0.00192EPSS
Exploits0References5
Rows per page
Query Builder