Lucene search
+L

3046 matches found

NVD
NVD
added 2 days ago4 views

CVE-2026-59235

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM companyid-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS0.00413EPSS
Exploits0References3
OSV
OSV
added 2 days ago4 views

CVE-2026-59235 Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM companyid-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS6.2AI score0.00413EPSS
Exploits0References6
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-44608

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM companyid-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS6.2AI score0.00413EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 days ago6 views

CVE-2026-59235

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM companyid-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS6.2AI score0.00413EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-59235 Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM companyid-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS0.00413EPSS
Exploits0References3
CVE
CVE
added 2 days ago8 views

CVE-2026-59235

CVE-2026-59235 describes a missing authorization check in Prospero Flow CRM company_id)->get(), enabling any authenticated, low-privilege user to read all bank accounts within their company. The vulnerability exposes sensitive data (IBAN, SWIFT/BIC, account identifiers) without role/permission...

8.7CVSS6.2AI score0.00413EPSS
Exploits0References3
NVD
NVD
added 4 days ago7 views

CVE-2026-15524

A security vulnerability has been detected in alioshr memory-bank-mcp up to 0.2.1/3.1. This affects an unknown part of the file list-project-files-validation-factory.ts. Such manipulation of the argument projectName leads to path traversal. Local access is required to approach this attack. The...

4.8CVSS0.00137EPSS
Exploits0References6
EUVD
EUVD
added 4 days ago8 views

EUVD-2026-43266

A security vulnerability has been detected in alioshr memory-bank-mcp up to 0.2.1/3.1. This affects an unknown part of the file list-project-files-validation-factory.ts. Such manipulation of the argument projectName leads to path traversal. Local access is required to approach this attack. The...

4.8CVSS5.8AI score0.00137EPSS
Exploits0References6
CVE
CVE
added 4 days ago13 views

CVE-2026-15524

The vulnerability CVE-2026-15524 affects alioshr memory-bank-mcp up to versions 0.2.1/3.1. The issue resides in the file list-project-files-validation-factory.ts where manipulation of the projectName argument enables path traversal. Local access is required to exploit, and public disclosure of th...

4.8CVSS5.8AI score0.00137EPSS
Exploits0References6
Cvelist
Cvelist
added 4 days ago36 views

CVE-2026-15524 alioshr memory-bank-mcp list-project-files-validation-factory.ts path traversal

A security vulnerability has been detected in alioshr memory-bank-mcp up to 0.2.1/3.1. This affects an unknown part of the file list-project-files-validation-factory.ts. Such manipulation of the argument projectName leads to path traversal. Local access is required to approach this attack. The...

4.8CVSS0.00137EPSS
Exploits0References6
NVD
NVD
added 2026/07/07 9:17 p.m.6 views

CVE-2026-46700

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS0.00342EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/07 8:56 p.m.35 views

CVE-2026-46700 Actual: Missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS0.00342EPSS
Exploits0References4
CVE
CVE
added 2026/07/07 8:56 p.m.24 views

CVE-2026-46700

Summary: In @actual-app/sync-server, GET /secret/:name omits the admin check even when OpenID multi-user mode is active, allowing authenticated non-admin users to enumerate admin-configured secrets (e.g., gocardless_secretId, gocardless_secretKey, simplefin_token, simplefin_accessKey, pluggyai_cl...

4.3CVSS6AI score0.00342EPSS
Exploits0References4
OSV
OSV
added 2026/07/07 8:56 p.m.6 views

CVE-2026-46700 Actual: Missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS6AI score0.00342EPSS
Exploits0References6
NVD
NVD
added 2026/06/29 2:16 p.m.10 views

CVE-2026-40522

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS0.00148EPSS
Exploits0References4
CVE
CVE
added 2026/06/29 12:29 p.m.24 views

CVE-2026-40522

FrontAccounting

7.1CVSS6AI score0.00148EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/29 12:29 p.m.9 views

CVE-2026-40522 FrontAccounting < 2.4.20 SQL Injection via rep601.php

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS6AI score0.00148EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/29 12:29 p.m.8 views

EUVD-2026-40081

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS6AI score0.00148EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/29 12:29 p.m.34 views

CVE-2026-40522 FrontAccounting < 2.4.20 SQL Injection via rep601.php

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS0.00148EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/29 12:29 p.m.6 views

CVE-2026-40522

FrontAccounting before 2.4.20 contains a SQL injection vulnerability in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data by injecting UNION SELECT payloads into the PARAM0 POST parameter. Attackers can supply malicious SQL syntax through the...

7.1CVSS6AI score0.00148EPSS
Exploits0References5
Rows per page
Query Builder