Lucene search
K

24 matches found

Vulnrichment
Vulnrichment
added 2026/06/12 3:1 p.m.9 views

CVE-2026-50084 Aqara API cross-account access

The Aqara Cloud Production API open-cn.aqara.com/v3.0/open/api would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N 9.6 Critical. When combined with...

9.6CVSS5.4AI score0.00213EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 3:1 p.m.28 views

CVE-2026-50084 Aqara API cross-account access

The Aqara Cloud Production API open-cn.aqara.com/v3.0/open/api would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N 9.6 Critical. When combined with...

9.6CVSS0.00213EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 3:1 p.m.36 views

CVE-2026-50084

CVE-2026-50084 concerns the Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api), where any valid developer token could access any account due to missing authorization (CWE-862). The CVSSv3.1 base score is 9.6 (CRITICAL): Network-based, Low attack complexity, Privileges Required: Low, Use...

9.6CVSS5.4AI score0.00213EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/09 4:15 a.m.11 views

EUVD-2026-28904

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. ...

9.1CVSS5.7AI score0.00417EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/09 4:15 a.m.7 views

CVE-2026-42560

auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. ...

9.1CVSS5.7AI score0.00417EPSS
Exploits0References5Affected Software1
CNNVD
CNNVD
added 2026/05/09 12:0 a.m.18 views

Auth 授权问题漏洞

Auth is a user authentication and management system open sourced by Supabase. There were vulnerabilities related to authorization in versions of Auth from 1.18.0 to 1.25.2, and from 2.0.0 to 2.1.2. This vulnerability stemmed from the Patreon OAuth provider, which mapped all authenticated Patreon...

9.1CVSS5.8AI score0.00417EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/21 12:42 a.m.5 views

CVE-2026-32067 OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store

OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically...

3.7CVSS5.8AI score0.00165EPSS
Exploits0References4
CVE
CVE
added 2026/03/21 12:42 a.m.11 views

CVE-2026-32067

OpenClaw contains an authorization bypass in the direct-message pairing policy. Specifically, versions prior to 2026.2.26 allow reuse of pairing approvals across multiple accounts due to an unscoped/weak pairing-store access-control check, enabling a sender approved in one account to be automatic...

8.1CVSS5.8AI score0.00165EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/03/04 6:56 p.m.4 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization through improper access control in the pairing store process. An attacker can gain unauthorized access to another account's direct message pairing by leveraging...

8.1CVSS5.8AI score0.00165EPSS
Exploits0References2
OSV
OSV
added 2026/01/27 8:16 p.m.6 views

CVE-2026-24858

An Authentication Bypass Using an Alternate Path or Channel vulnerability CWE-288 vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager...

9.8CVSS5.8AI score0.85844EPSS
Exploits0References3
CVE
CVE
added 2026/01/19 8:43 p.m.14 views

CVE-2026-23844

CVE-2026-23844 affects Whisper Money, a personal finance app. The vulnerability is an insecure direct object reference (IDOR) in the sync/balances endpoint, allowing a user to update or create account balances in other users’ bank accounts. Root cause is improper authorization checks for direct o...

7.1CVSS5.5AI score0.00193EPSS
Exploits0References3Affected Software1
CNNVD
CNNVD
added 2025/11/20 12:0 a.m.5 views

Revive Adserver 安全漏洞

Revive Adserver is an open source ad serving system that allows advertisers, publishers, and networks to place ads on multiple platforms e.g., websites, apps, video players and supports ad effectiveness tracking, campaign management, and placement rule definition. Revive Adserver suffers from a...

7.1CVSS6.8AI score0.00275EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2025/10/06 12:0 a.m.5 views

PT-2025-40946

Name of the Vulnerable Software and Affected Versions YoSmart YoLink MQTT broker versions through 2025-10-02 Description The YoLink MQTT broker does not adequately enforce authorization controls, which can lead to cross-account attacks. An attacker who obtains device IDs can remotely operate...

4.9CVSS6.6AI score0.0027EPSS
Exploits0References7
IBM Security Bulletins
IBM Security Bulletins
added 2025/08/11 10:6 p.m.7 views

Security Bulletin: Astronomer with IBM is vulnerable to API abuse due to the NATS-Server package (CVE-2025-30215)

Summary NATS-Server is used by Astronomer with IBM as part of the messaging functionality. Vulnerability Details CVEID:CVE-2025-30215 DESCRIPTION: NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27...

9.6CVSS6.9AI score0.00561EPSS
Exploits0Affected Software1
OSV
OSV
added 2025/04/16 12:15 a.m.6 views

AZL-60406 CVE-2025-30215 affecting package telegraf for versions less than 1.31.0-9

NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially expose...

9.6CVSS7.1AI score0.00561EPSS
Exploits0References1
OSV
OSV
added 2025/04/16 12:15 a.m.2 views

UBUNTU-CVE-2025-30215

NATS-Server is a High-Performance server for NATS.io, the cloud and edge native messaging system. In versions starting from 2.2.0 but prior to 2.10.27 and 2.11.1, the management of JetStream assets happens with messages in the $JS. subject namespace in the system account; this is partially expose...

9.6CVSS7.1AI score0.00561EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2024/06/11 4:49 p.m.20 views

CVE-2024-37293 aws-deployment-framework's potential risk can lead to privilege escalation

The AWS Deployment Framework ADF is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or resources via the structure defined in AWS Organizations...

7.5CVSS7.6AI score0.00245EPSS
Exploits0References4
CVE
CVE
added 2024/06/11 4:49 p.m.57 views

CVE-2024-37293

The CVE concerns the AWS Deployment Framework (ADF) bootstrap process. Prior to v4.0.0, the bootstrap CodeBuild role could call sts:AssumeRole without restrictions, enabling escalation to any AWS account in the organization with elevated privileges. Patches are included in aws-deployment-framewor...

7.8CVSS7.9AI score0.00245EPSS
Exploits0References4Affected Software1
MSRC
MSRC
added 2022/04/28 7:0 a.m.26 views

Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution

MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure CVD of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. By exploiting an elevated permissions bug in the Flexib...

1.7AI score
Exploits0
MSRC
MSRC
added 2022/04/28 7:0 a.m.13 views

Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution

MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure CVD of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. By exploiting an elevated permissions bug in the Flexib...

7.2AI score
Exploits0
Rows per page
Query Builder