14 matches found
CVE-2026-45716
Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...
Weblate Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url
Impact An authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo URL pointing at a private address e.g. http://127.0.0.1:999...
Improper Access Control
apacheairflow is vulnerable to improper access control. The vulnerability is due to insufficient authorization checks in the bulk create API with the overwrite action, which allows an attacker with only CREATE privileges to update existing Pools, Connections, and Variables without having UPDATE...
CVE-2025-62503
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action...
GHSA-GP5F-CX7H-8Q6F Apache Airflow's create action can upsert existing Pools/Connections/Variables
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action...
Execution with Unnecessary Privileges
Overview Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the bulk create API with the overwrite action. An attacker can modify existing records by submitting crafted requests with only CREATE privileges. Remediation Upgrade apache-airflow-core to...
Apache Airflow's create action can upsert existing Pools/Connections/Variables
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action...
CVE-2025-62503
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action...
CVE-2025-62503
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action...
CVE-2025-62503
CVE-2025-62503 – Apache Airflow: Privilege boundary bypass in bulk APIs allows a user with CREATE (but not UPDATE) for Pools, Connections, and Variables to update existing records via the bulk create API with an overwrite action. Multiple sources (BIT-AIRFLOW-2025-62503, EUVD, Red Hat/CISA refere...
PT-2025-44369
Name of the Vulnerable Software and Affected Versions Versions prior to 2025-62503 Description A user possessing CREATE privilege but lacking UPDATE privilege for Pools, Connections, and Variables can modify existing records through the bulk create API utilizing the overwrite action. This allows...
EUVD-2025-27096
Malicious code in bioql PyPI...
CVE-2025-48042
Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routine...
EEF-CVE-2025-48042 Before action hooks may execute in certain scenarios despite a request being forbidden
Summary Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program...