Lucene search
K

44 matches found

NVD
NVD
added 2026/06/25 8:17 p.m.15 views

CVE-2026-57520

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS0.00354EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/06/25 7:8 p.m.21 views

CVE-2026-57520 Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS0.00354EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/06/25 7:8 p.m.3 views

CVE-2026-57520 Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS5.8AI score0.00354EPSS
Exploits1References5
CVE
CVE
added 2026/06/25 7:8 p.m.27 views

CVE-2026-57520

Bitwarden Server prior to 2026.5.0 is affected by a privilege-escalation vulnerability in the bulk user-remove endpoint. The issue arises from a missing role hierarchy check, allowing authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by supplying...

7.1CVSS5.9AI score0.00354EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/06/25 7:8 p.m.3 views

CVE-2026-57520 Bitwarden Server < 2026.5.0 Privilege Escalation via Bulk User Remove Endpoint

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS6AI score0.00354EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.10 views

CVE-2026-8350

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

8.8CVSS5.5AI score0.00301EPSS
Exploits0References1
NVD
NVD
added 2026/05/27 6:16 p.m.16 views

CVE-2026-45716

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

8.8CVSS0.00261EPSS
Exploits0References2
OSV
OSV
added 2026/05/21 9:30 p.m.4 views

GHSA-G7XP-JF3X-WCX4 Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.7 views

Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

8.8CVSS5.8AI score0.00301EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2026/05/21 9:16 p.m.22 views

CVE-2026-8350

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

8.8CVSS0.00301EPSS
Exploits0References1
CVE
CVE
added 2026/05/21 8:28 p.m.21 views

CVE-2026-8350

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php, enabling privilege escalation to the Administrative Group. Any authenticated user with access to the bulk user assignment dashboard can add any user email to any group and can remove legitimate ad...

8.8CVSS5.8AI score0.00301EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/21 8:28 p.m.35 views

CVE-2026-8350 Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

7.5CVSS0.00301EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/21 8:28 p.m.7 views

CVE-2026-8350 Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/21 8:28 p.m.5 views

CVE-2026-8350

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/05/21 8:28 p.m.9 views

EUVD-2026-31343

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References1
OSV
OSV
added 2026/05/21 8:28 p.m.2 views

CVE-2026-8350 Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

7.5CVSS5.9AI score0.00301EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/21 12:0 a.m.12 views

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Concrete CMS versions 9.5.0 and earlier have security vulnerabilities. These vulnerabilities stem from a lack of authorization in the bulkuserassignment.php file, which may lead to permissions being granted to...

8.8CVSS5.8AI score0.00301EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.15 views

PT-2026-42546

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier Description Missing authorization in the 'bulk user assignment.php' endpoint allows an authenticated user with access to the bulk user assignment dashboard page to perform privilege escalation to the...

8.8CVSS5.8AI score0.00301EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.17 views

PT-2026-41795

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1 Description An issue exists in the "POST /api/global/users/onboard" endpoint, which is protected by the workspaceBuilderOrAdmin middleware. This allows users with builder permissions to access the endpoint. In...

8.8CVSS5.9AI score0.00261EPSS
Exploits0References5
Veracode
Veracode
added 2025/11/24 6:58 a.m.7 views

Improper Input Validation

auth0/wordpress is vulnerable to Improper Input Validation. The vulnerability is due to the Bulk User Import endpoint not validating the file path wrapper or value, which allows an attacker to supply arbitrary file paths or URLs to manipulate file handling behavior...

3.3CVSS7.1AI score0.00329EPSS
Exploits0References8Affected Software2
Rows per page
Query Builder