CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

104 matches found

CVE-2026-36720

Insecure permissions in bookcars v8.3 allows authenticated attackers to escalate privileges from user to admin via modifying their user type...

0.00023EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:49 p.m.•6 views

CVE-2026-49433

The DeepAI endpoint 'https://api.deepai.org/changeuseremail' accepts POST requests without any CSRF protection. If an attacker can trick a logged-in user into clicking a malicious link, the attacker can change the user's email address and take over their account. Fixed on 2026-05-20...

5CVSS5.5AI score0.00015EPSS

Exploits0References1

NVD•added 2026/06/01 9:16 p.m.•9 views

CVE-2026-49433

5CVSS0.00015EPSS

Exploits0References3

Cvelist•added 2026/06/01 7:59 p.m.•26 views

CVE-2026-49433 DeepAI api.deepai.org/change_user_email CSRF

5CVSS0.00015EPSS

Exploits0References3

ATTACKERKB•added 2026/06/01 7:59 p.m.•7 views

CVE-2026-49433

5CVSS5.8AI score0.00015EPSS

Exploits0References4

Vulnrichment•added 2026/06/01 7:59 p.m.•10 views

CVE-2026-49433 DeepAI api.deepai.org/change_user_email CSRF

5CVSS5.8AI score0.00015EPSS

Exploits0References3

EUVD•added 2026/05/28 1:5 p.m.•9 views

EUVD-2026-32896

The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint...

10CVSS5.8AI score0.00118EPSS

Exploits1References1

NVD•added 2026/05/22 7:17 p.m.•8 views

CVE-2026-40172

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

8.1CVSS0.00011EPSS

Exploits0References3

ATTACKERKB•added 2026/03/03 9:53 p.m.•2 views

CVE-2026-27012

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group idgruppo by directly calling...

9.8CVSS6AI score0.00046EPSS

Exploits1References2Affected Software1

Github Security Blog•added 2026/03/03 5:43 p.m.•4 views

OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php

Summary A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group idgruppo by directly calling modules/utenti/actions.php. This can promote an existing account e.g. agent into the Amministratori group as well as demot...

9.8CVSS6AI score0.00046EPSS

Exploits1References2Affected Software1

Cvelist•added 2026/02/10 4:40 p.m.•23 views

CVE-2026-24885 Kanboard Affected by Cross-Site Request Forgery (CSRF) via Content-Type Misconfiguration in Project Role Assignment

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a Cross-Site Request Forgery CSRF vulnerability exists in the ProjectPermissionController within the Kanboard application. The application fails to strictly enforce the application/json Content-Type for the...

5.7CVSS0.00028EPSS

Exploits1References3

Positive Technologies•added 2026/01/01 12:0 a.m.•3 views

PT-2026-7318

Name of the Vulnerable Software and Affected Versions Kanboard versions prior to 1.2.50 Description Kanboard is project management software. A Cross-Site Request Forgery CSRF issue exists in the ProjectPermissionController. The application does not strictly enforce the application/json Content-Ty...

5.7CVSS5.4AI score0.00028EPSS

Exploits1References9

Cvelist•added 2025/11/20 7:11 p.m.•3 views

CVE-2025-48986

Authorization bypass in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes an logged in attacker to change other users' email address and potentialy take over their accounts using the forgot password functionality...

8.8CVSS0.0002EPSS

Exploits1References1

RedhatCVE•added 2025/11/02 6:43 a.m.•9 views

CVE-2025-6574

The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for...

8.8CVSS6.6AI score0.0006EPSS

Exploits0References1

EUVD•added 2025/10/07 12:30 a.m.•3 views

EUVD-2018-8186

Malware in sbrugna...

8.8CVSS8.8AI score0.00112EPSS

Exploits1References2

EUVD•added 2025/10/07 12:30 a.m.•2 views

EUVD-2004-2140

Malware in sbrugna...

7.2CVSS6.4AI score0.00055EPSS

Exploits0References6

EUVD•added 2025/10/03 8:7 p.m.•2 views

EUVD-2023-30633

Malicious code in bioql PyPI...

6.5CVSS6.6AI score0.00777EPSS

Exploits1References2

Tenable Nessus•added 2025/09/02 12:0 a.m.•3 views

Linux Distros Unpatched Vulnerability : CVE-2022-2568

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with 'change user' permissions to modify...

6.5CVSS6.7AI score0.0021EPSS

Exploits1References2