Lucene search
K

2670 matches found

NVD
NVD
added 3 days ago6 views

CVE-2026-56765

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches...

9.8CVSS0.00351EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-56765 Vikunja - Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches...

9.8CVSS0.00351EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 3 days ago7 views

CVE-2026-7492

A flaw was found in GitLab. Under certain conditions, an unauthenticated user could determine the existence of a private project. This information disclosure is possible due to improper authorization controls on cross-project reference pages. This vulnerability allows an attacker to gain sensitiv...

5.3CVSS6AI score0.00254EPSS
Exploits0References6
CVE
CVE
added 3 days ago8 views

CVE-2026-5069

Vulnerability summary (CVE-2026-5069) : The Fluent Forms plugin for WordPress up to version 6.2.1 is vulnerable to incorrect authorization via the subscription_id parameter in the payment cancellation AJAX flow. The root cause is insufficient ownership authorization checks, allowing authenticated...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-42778

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS5.9AI score0.00176EPSS
Exploits0References2
CVE
CVE
added 3 days ago7 views

CVE-2026-15318

CVE-2026-15318 affects Sipeed PicoClaw up to version 0.2.9. The vulnerability lies in the MQTT Channel Handler, specifically in the file pkg/channels/mqtt/mqtt.go, where manipulation of the client_id argument leads to incorrect authorization. The issue can be exploited remotely, and public exploi...

6.5CVSS6.2AI score0.00214EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 4 days ago3 views

GitLab 9.1 < 18.11.7 / 19.0 < 19.0.4 / 19.1 < 19.1.2 (CVE-2026-7492)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an...

5.3CVSS6.2AI score0.00254EPSS
Exploits0References5
NVD
NVD
added 5 days ago10 views

CVE-2026-6352

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper...

2.7CVSS0.00264EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-6352 Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with auditor-level access to modify compliance violation records due to improper...

2.7CVSS0.00264EPSS
Exploits0References3
NVD
NVD
added 5 days ago9 views

CVE-2026-56293

Capgo before 12.128.2 contains an authorization flaw in transferapp that fails to update deployhistory.ownerorg when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause...

5.4CVSS0.00143EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-56293 Capgo - Stale Cross-Organization Authorization via Incomplete deploy_history Update in transfer_app()

Capgo before 12.128.2 contains an authorization flaw in transferapp that fails to update deployhistory.ownerorg when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause...

5.4CVSS0.00143EPSS
Exploits0References2
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-42254

Capgo before 12.128.2 contains an authorization flaw in transferapp that fails to update deployhistory.ownerorg when transferring applications between organizations. Attackers can exploit this omission to retain unauthorized access to deployment history records in the source organization or cause...

5.4CVSS6AI score0.00143EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-56246 Capgo - Cross-Organization Authorization Bypass via Scoped API Key Privilege Inheritance

Capgo before 12.128.2 contains a broken access control vulnerability in the organization management API where a scoped API key limitedtoorgs inherits its owner-user's permissions, allowing destructive cross-organization actions. When a user is an admin in two organizations and creates a write-mod...

8.1CVSS0.00223EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56588

Name of the Vulnerable Software and Affected Versions GitLab EE versions 16.10 through 18.11.6 GitLab EE versions 19.0 through 19.0.3 GitLab EE versions 19.1 through 19.1.1 Description Improper authorization controls could allow an authenticated user to modify group-level settings beyond their...

4.3CVSS6.1AI score0.00161EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56616

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 9.1 through 18.11.6 GitLab CE/EE versions 19.0 through 19.0.3 GitLab CE/EE versions 19.1 through 19.1.1 Description Improper authorization controls on cross-project reference pages could allow an unauthenticated user to...

5.3CVSS6.1AI score0.00254EPSS
Exploits0References6
CVE
CVE
added 6 days ago10 views

CVE-2026-50007

The CVE affects the open-source personal finance app “Actual.” Before version 26.7.0, a missing authorization flaw allows a non-owner shared user (with user_access on a budget file) to perform file-management actions that should be owner- or admin-only. Specifically, endpoints such as /delete-use...

7.2CVSS5.9AI score0.00246EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 6 days ago7 views

CVE-2026-50007

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with useraccess on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users...

7.2CVSS5.9AI score0.00246EPSS
Exploits0References6Affected Software1
CVE
CVE
added 6 days ago12 views

CVE-2026-48957

CVE-2026-48957 affects Joomla! Core; the issue is an improper access control in the com_privacy webservice endpoints, enabling unauthorized users to access com_privacy datasets. Multiple sources (NVD entry and CVE records from CIRCL, CVE List, and Joomla security centre) describe the root cause a...

8.8CVSS6AI score0.0024EPSS
Exploits0References1Affected Software1
NVD
NVD
added 6 days ago10 views

CVE-2026-34048

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes...

9.9CVSS0.00405EPSS
Exploits0References3
CVE
CVE
added 6 days ago15 views

CVE-2026-34037

Coolify prior to v4.0.0-beta.464 is affected by a broken object-level authorization in cloneTo() within ResourceOperations.php. The action authenticates the source resource but resolves destination resources with unscoped Eloquent lookups, enabling cross-tenant cloning where an authenticated user...

9.9CVSS5.9AI score0.00247EPSS
Exploits0References3
Rows per page
Query Builder