Lucene search
K

11 matches found

EUVD
EUVD
added 4 days ago8 views

EUVD-2026-41860

An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user...

9.3CVSS5.9AI score0.00309EPSS
Exploits0References1
CVE
CVE
added 4 days ago9 views

CVE-2026-12686

CVE-2026-12686 affects Adiss’s Biloop: an authenticated user can manipulate a company ID in a POST to the backend, bypassing cross-tenant authorization and gaining access to other companies’ data (including billing) and potentially modifying third-party data. Root cause is inadequate verification...

9.3CVSS5.9AI score0.00309EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 4 days ago7 views

PT-2026-55915

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An authenticated user can perform a cross-tenant authorization bypass by manipulating a company ID parameter in a POST request to the backend. The application...

9.3CVSS5.9AI score0.00309EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/15 10:4 a.m.10 views

EUVD-2026-36711

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyIdID/Audio/ and...

6.9CVSS5.3AI score0.00397EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/15 10:4 a.m.35 views

CVE-2026-34028 Unauthenticated direct access to web data in Wertheim SafeController Software exposes files

The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated attacker can directly access HTTP endpoints to download files from locations such as /Resources/CompanyIdID/Audio/ and...

6.9CVSS0.00397EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/21 3:26 a.m.30 views

CVE-2026-3506 WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the...

5.3CVSS0.00273EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:26 a.m.2 views

CVE-2026-3506

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the...

5.3CVSS5.8AI score0.00273EPSS
Exploits0References9
EUVD
EUVD
added 2026/03/05 9:30 p.m.7 views

EUVD-2025-208325

OpenCode Systems OC Messaging / USSD Gateway OC Release 6.32.2 contains a broken access control vulnerability in the web-based control panel allowing authenticated low-privileged attackers to gain to access to arbitrary SMS messages via a crafted company or tenant identifier parameter...

6AI score0.00261EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/05 12:0 a.m.6 views

PT-2026-23502

Name of the Vulnerable Software and Affected Versions OpenCode Systems OC Messaging / USSD Gateway version 6.32.2 Description The software contains a flaw in access control within the web-based control panel. An authenticated attacker with limited privileges can access arbitrary SMS messages by...

8.1CVSS5.9AI score0.00261EPSS
Exploits0References6
OSV
OSV
added 2024/08/29 11:15 a.m.5 views

CVE-2024-29731

SQL injection vulnerabilities in SportsNET affecting version 4.0.1. These vulnerabilities could allow an attacker to retrieve, update and delete all information in the database by sending a specially crafted SQL query: https://XXXXXXX.saludydesafio.com/app/ax/checkBlindFields/ , parameters...

9.8CVSS5.8AI score0.00408EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2022/08/18 8:15 p.m.4 views

CVE-2022-25228

CandidATS Version 3.0.0 Beta allows an authenticated user to inject SQL queries in '/index.php?m=settings&a=show' via the 'userID' parameter, in '/index.php?m=candidates&a=show' via the 'candidateID', in '/index.php?m=joborders&a=show' via the 'jobOrderID' and '/index.php?m=companies&a=show' via...

6.5CVSS6.7AI score0.00844EPSS
Exploits1References3
Rows per page
Query Builder