CVE-2026-10215

Dolibarr ERP CRM up to version 23.0.1 is affected by CVE-2026-10215 in the Leave Request REST API component, specifically the file htdocs/holiday/class/api_holidays.class.php, function checkUserAccessToObject. The issue allows improper authorization, potentially enabling remote exploitation. Publ...

CVE-2026-34457

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an authrequest-style integration such as nginx authrequest and either...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the isHealthCheckRequest function in pkg/middleware/healthcheck.go. An attacker can reach protected endpoints by sending a request with a configured health-check User-Agent, causing the middleware to treat the...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the isHealthCheckRequest function in pkg/middleware/healthcheck.go. An attacker can reach protected endpoints by sending a request with a configured health-check User-Agent, causing the middleware to treat the...

CVE-2026-35182 Missing Authorization Privilege Escalation

Brave CMS is an open-source CMS. Prior to 2.0.6, this vulnerability is a missing authorization check found in the update role endpoint at routes/web.php. The POST route for /rights/update-role/id lacks the checkUserPermissions:assign-user-roles middleware. This allows any authenticated user to...

CVE-2026-4959

A vulnerability was found in OpenBMB XAgent 1.0.0. This impacts the function checkuser of the file XAgentServer/application/websockets/share.py of the component ShareServer WebSocket Endpoint. Performing a manipulation of the argument interactionid results in missing authentication. Remote...

CVE-2026-4959

OpenBMB XAgent 1.0.0 contains a vulnerability in the ShareServer WebSocket Endpoint (XAgentServer/application/websockets/share.py, function check_user). Manipulating the argument interaction_id results in missing authentication, enabling remote exploitation. The exploit has been publicized, and t...

CVE-2026-2158

A vulnerability was detected in code-projects Student Web Portal 1.0. This impacts an unknown function of the file /checkuser.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely...

CVE-2026-2158 code-projects Student Web Portal check_user.php sql injection

A vulnerability was detected in code-projects Student Web Portal 1.0. This impacts an unknown function of the file /checkuser.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely...

PT-2026-6989

Name of the Vulnerable Software and Affected Versions code-projects Student Web Portal version 1.0 Description A flaw exists in code-projects Student Web Portal 1.0 that allows for remote execution of SQL injection. The issue is located in the file /check user.php and involves manipulation of the...

CVE_choco_3

DESCRIPTION - During the security assessment of "STUDENT WEB...

CVE-2025-4631

The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktendobject endpoint in versions 2.0.6.0 to 2.1.1.3. This makes it possible to trigger the saveobjectasuser function for objects whose 'datatype' is set to 'users',. This allows...

CVE-2024-11643 Accessibility by AllAccessible <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update

The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'AllAccessiblesavesettings' function in all versions up to, and including, 1.3.4. This makes it possible for...

AdaptCMS SQL Injection vulnerability

SQL injection vulnerability in the "Check User" feature includes/checkuser.php in AdaptCMS Lite and AdaptCMS Pro 1.3 allows remote attackers to execute arbitrary SQL commands via the username parameter...

AdaptCMS SQL Injection vulnerability

SQL injection vulnerability in the "Check User" feature includes/checkuser.php in AdaptCMS Lite and AdaptCMS Pro 1.3 allows remote attackers to execute arbitrary SQL commands via the username parameter...

ismartgate PRO /cron/checkUserExpirationDate.php Elevation of Privilege Vulnerability

iSmartGate is a smart garage door opener system. A security vulnerability exists in ismartgate PRO /cron/checkUserExpirationDate.php, which allows remote attackers to exploit the vulnerability to submit special requests that can elevate privileges...

CVE-2019-9235

In NFC, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-122323053...

CVE-2019-11233

EXCELLENT INFOTEK BiYan v1.57 v2.8 allows an attacker to leak user information without being authenticated, by sending a LOGINID element to the auth/main/asp/checkuserlogininfo.aspx URI, and then reading the response, as demonstrated by the KWEMAIL or KWTEL field...

CVE-2017-18376

An improper authorization check in the User API in TheHive before 2.13.4 and 3.x before 3.3.1 allows users with read-only or read/write access to escalate their privileges to the administrator's privileges. This affects app/controllers/UserCtrl.scala...

Directory traversal

Multiple directory traversal vulnerabilities in LightBlog 9.8, when magicquotesgpc is disabled, allow remote attackers to include and execute arbitrary local files via a .. dot dot in the 1 username parameter to viewmember.php, 2 usernamepost parameter to login.php, and the 3 Lightblogusername...