Lucene search
K

200 matches found

NVD
NVD
added 5 days ago6 views

CVE-2026-5135

A flaw was found in Foreman. This broken access control vulnerability allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is achieved by modifying the match field through nested host attributes, effectively bypassing...

6.5CVSS0.00262EPSS
Exploits0References6
NVD
NVD
added 6 days ago8 views

CVE-2026-58373

CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.getqueryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing checkobjectpermissions call on the parentid query parameter ...

5.3CVSS0.00204EPSS
Exploits0References4
EUVD
EUVD
added 6 days ago6 views

EUVD-2026-40361

CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.getqueryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing checkobjectpermissions call on the parentid query parameter ...

5.3CVSS5.8AI score0.00204EPSS
Exploits0References4
CVE
CVE
added 6 days ago14 views

CVE-2026-58373

CVAT before version 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that lets authenticated attackers enumerate quality report identifiers across organizations by exploiting a missing check_object_permissions on the parent_id parameter of the quality r...

5.3CVSS5.8AI score0.00204EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/29 5:22 p.m.33 views

CVE-2026-57956 SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS0.00177EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/29 5:22 p.m.7 views

EUVD-2026-40141

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS5.8AI score0.00177EPSS
Exploits0References2
CVE
CVE
added 2026/06/29 5:22 p.m.15 views

CVE-2026-57956

SigNoz

6.4CVSS5.8AI score0.00177EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 6:7 p.m.8 views

CVE-2026-54322

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the targe...

7.7CVSS6.3AI score0.00186EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/23 6:7 p.m.33 views

CVE-2026-54322 Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the targe...

7.7CVSS0.00186EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 6:7 p.m.11 views

CVE-2026-54322

The CVE-2026-54322 issue affects Daytona prior to 0.185.0, where organization role update/delete endpoints granted access based on the caller’s ownership of an org but validated the target role only by its identifier, not by org ownership. This cross-org IDOR lets an authenticated user who owns a...

7.7CVSS6.3AI score0.00186EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 12:12 p.m.32 views

CVE-2026-56222 Capgo - Cross-Organization App Takeover via Mismatched org_id and app_id in /private/role_bindings

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/rolebindings that fails to verify appid ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by...

8.6CVSS0.00356EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/23 12:12 p.m.4 views

CVE-2026-56222

Capgo before 12.128.2 contains an authorization bypass vulnerability in POST /private/rolebindings that fails to verify appid ownership during app-scoped role binding creation. An attacker with administrative privileges in one organization can create role bindings targeting applications owned by...

8.6CVSS6AI score0.00356EPSS
Exploits0References3
CVE
CVE
added 2026/06/23 12:12 p.m.10 views

CVE-2026-56222

Capgo before 12.128.2 has an authorization bypass in POST /private/role_bindings due to failure to verify app_id ownership during app-scoped role binding creation. An administrator in one organization can create role bindings targeting apps owned by other organizations, enabling unauthorized read...

8.6CVSS6AI score0.00356EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.8 views

PT-2026-51500

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authorization bypass exists in the 'POST /private/role bindings' endpoint. The system fails to verify the ownership of the app id during the creation of app-scoped role bindings. This allows an...

8.6CVSS5.8AI score0.00356EPSS
Exploits0References8
NVD
NVD
added 2026/06/22 2:17 p.m.8 views

CVE-2026-56424

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could...

8.8CVSS0.00361EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/22 12:17 p.m.28 views

CVE-2026-56424 Broken access control in MISP core allows cross-organization unauthorized modification or deletion of analyst data, event reports, collections, templates, and decaying models

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could...

7.1CVSS0.00361EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/22 12:17 p.m.8 views

EUVD-2026-38227

MISP core contained multiple broken access-control flaws where authorization checks were performed against the wrong entity, or where ownership/editability checks were missing on write paths. In affected subsystems, a lower-privileged authenticated user with the relevant feature permission could...

7.1CVSS5.9AI score0.00361EPSS
Exploits0References5
CVE
CVE
added 2026/06/22 12:17 p.m.13 views

CVE-2026-56424

CVE-2026-56424 affects MISP core and describes multiple broken access-control flaws where authorization checks target the wrong entity or where ownership checks are missing on write paths. In affected subsystems, a lower-privileged authenticated user with relevant feature permissions could cause ...

8.8CVSS5.9AI score0.00361EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/06/22 11:56 a.m.27 views

CVE-2026-56423 MISP Core: Broken access control allows instance-wide unauthorized deletion of event reports and sharing groups via bulk deletion endpoints

MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For Event Reports,...

9.4CVSS0.00261EPSS
Exploits0References2
CVE
CVE
added 2026/06/22 11:56 a.m.19 views

CVE-2026-56423

Summary: CVE-2026-56423 affects MISP Core where bulk deletion (Event Reports and Sharing Groups) used broad role permissions instead of per-object authorization checks, enabling instance-wide deletions by eligible users. What was vulnerable: EventReportsController::deleteSelection relied on the g...

9.4CVSS6AI score0.00261EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder