Lucene search
K

42 matches found

Cvelist
Cvelist
added 2026/06/24 11:53 a.m.32 views

CVE-2026-56256 Capgo - Two-Factor Authentication Bypass via Organization Management API

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization ORG management API endpoints e.g., editing organization details, inviting users do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can...

7.1CVSS0.00238EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.5 views

CVE-2026-56256

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization ORG management API endpoints e.g., editing organization details, inviting users do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 11:53 a.m.8 views

EUVD-2026-38743

Capgo before 12.128.2 enforces mandatory two-factor authentication only at the UI level. Sensitive Organization ORG management API endpoints e.g., editing organization details, inviting users do not validate 2FA completion on the backend. An authenticated Admin user who has not enabled 2FA can...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 11:53 a.m.10 views

CVE-2026-56256

CVE-2026-56256 affects Capgo prior to 12.128.2, where 2FA is enforced only at the UI level. The backend ORG management API endpoints (e.g., editing organization details, inviting users) do not require 2FA, allowing an authenticated admin without 2FA to replay/modify a captured ORG API request to ...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References2
OSV
OSV
added 2026/05/11 7:32 p.m.12 views

GHSA-FRF7-JHP9-JXM6 MantisBT Vulnerable to Privilege Escalation from Manager to Administrator

Insufficient access control checks in ProjectUsersAddCommand used in manageprojuseradd.php and REST API endpoint PUT /project/id/users allows users having manageprojectthreshold access level manager by default to grant project-level administrator access to any user including themselves in any...

5.1CVSS5.9AI score0.00427EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/04/02 5:4 a.m.5 views

CVE-2026-30522

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering...

6.5CVSS6AI score0.00255EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/01 5:0 a.m.5 views

CVE-2026-30521

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

6.5CVSS6AI score0.00313EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/01 12:0 a.m.26 views

CVE-2026-30522

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering...

0.00255EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/01 12:0 a.m.3 views

CVE-2026-30522

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering...

6AI score0.00255EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/31 9:31 p.m.4 views

EUVD-2026-17583

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

6AI score0.00313EPSS
Exploits1References2
NVD
NVD
added 2026/03/31 7:16 p.m.8 views

CVE-2026-30521

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

6.5CVSS0.00313EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/31 12:0 a.m.11 views

PT-2026-29325

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

6AI score0.00313EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/31 12:0 a.m.3 views

CVE-2026-30521

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

6AI score0.00313EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/12 5:57 p.m.30 views

CVE-2026-32139 Dataease: Unfiltered active SVG content leads to Stored XSS

Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as...

5.3CVSS0.002EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/11 6:13 p.m.2 views

EUVD-2026-11284

Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign...

9.8CVSS5.9AI score0.00638EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/02/26 12:0 a.m.4 views

CVE-2025-56605

A reflected Cross-Site Scripting XSS vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobile POST parameter is improperly validated and echoed back in the HTTP response without sanitization, allowing an attacker to inject and execute...

6.2AI score0.00189EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/02 12:0 a.m.8 views

Keycloak 代码问题漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has code-related vulnerabilities; these vulnerabilities stem from insufficient backend notification endpoint validation by the CIBA function regarding client configurations. This may lead to...

2.7CVSS5.8AI score0.00236EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/01/28 6:7 p.m.29 views

CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

8.9CVSS0.00159EPSS
Exploits0References1
Snyk
Snyk
added 2026/01/10 4:57 a.m.5 views

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via insufficient backend validation in the Agent service's database query tool. An attacker can access sensitive information from the server and database by using prompt-based bypass techniques to evade query restrictions...

9.8CVSS7.5AI score0.00353EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/12/05 3:27 p.m.5 views

CVE-2025-65900

Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all...

6.5CVSS6.4AI score0.00266EPSS
Exploits3References1
Rows per page
Query Builder