Lucene search
K

36 matches found

EUVD
EUVD
added 2 days ago6 views

EUVD-2026-40141

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/29 4:40 p.m.33 views

CVE-2026-43917 Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId validation

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's...

5.3CVSS0.00225EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/28 6:8 p.m.24 views

OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd

Summary An organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. Impact Full platform access, access to sensitive or proprietary information...

7.2CVSS5.8AI score0.00316EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/14 7:58 p.m.11 views

CVE-2026-44204

Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user any role to execute arbitrary SQL and read data from any table in the database, including data belonging to...

6.5CVSS6.2AI score0.00228EPSS
Exploits0References1
NVD
NVD
added 2026/05/11 11:20 p.m.16 views

CVE-2026-43912

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groupsusers.usersorganizationsuuid entry belongs to the same organization as groups.groupsuuid, or a collectionsgroups.collectionsuuid entry belongs to the same organization as...

8.7CVSS0.00289EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 9:56 p.m.11 views

CVE-2026-43912

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groupsusers.usersorganizationsuuid entry belongs to the same organization as groups.groupsuuid, or a collectionsgroups.collectionsuuid entry belongs to the same organization as...

8.7CVSS5.9AI score0.00289EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/06 6:30 p.m.9 views

Velocidex Velociraptor has an Incorrect Authorization issue

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...

6.8CVSS5.7AI score0.00236EPSS
Exploits0References3Affected Software1
Snyk
Snyk
added 2026/05/06 5:27 p.m.7 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the HTTP Filestore API endpoints. An attacker can access files from other organizations without explicit permissions by issuing a single authenticated HTTP GET request while holding only minimal read privileg...

6.8CVSS5.8AI score0.00236EPSS
Exploits0References2
CVE
CVE
added 2026/05/06 2:50 p.m.11 views

CVE-2026-6863

CVE-2026-6863 affects Velociraptor versions prior to 0.76.4, where the HTTP API permits a cross-organization authorization bypass. A user with only the reader role in the root organization (lowest authenticated role with READ_RESULTS) can issue a single authenticated HTTP GET that can read any fi...

6.8CVSS5.7AI score0.00236EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/06 4:12 a.m.9 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GetUserRoles API endpoint. An attacker can access ACL policies for any user across all organizations by supplying specific Name and Org parameters in a network request. Remediatio...

7.7CVSS5.8AI score0.00255EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/06 12:0 a.m.9 views

Velociraptor 安全漏洞

Velociraptor is an open-source tool developed by Velocidex, designed for querying and collecting host-based status information using the Velociraptor Query Language VQL. Versions of Velociraptor prior to 0.76.4 contained security vulnerabilities. These vulnerabilities were due to a...

6.8CVSS5.8AI score0.00236EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/29 9:44 p.m.6 views

Incorrect Authorization

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Incorrect Authorization via the contactsdata.php process. An attacker can access sensitive user data from all organizations by direct...

6.9CVSS5.8AI score0.00322EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 8:23 p.m.10 views

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the Correlations feature due to a backward compatibility condition that allows records with orgid=0 to be accessed across organizations. An attacker with datasource management...

3.8CVSS5.8AI score0.00204EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/15 6:31 p.m.6 views

EUVD-2026-22995

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query plugin, in a notebook cell, to run VQL queries on other orgs which th...

8CVSS5.8AI score0.00224EPSS
Exploits0References2
OSV
OSV
added 2026/04/15 6:31 p.m.6 views

GHSA-HV5G-26JG-PC45 Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query plugin, in a notebook cell, to run VQL queries on other orgs which th...

9.1CVSS5.8AI score0.00224EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/15 6:24 p.m.6 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the query plugin. An attacker can gain unauthorized access to resources belonging to other organizations by executing VQL queries with their current ACL token, thereby inheriting their permissions across...

9.1CVSS5.7AI score0.00224EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 6:24 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the query plugin. An attacker can gain unauthorized access to resources belonging to other organizations by executing VQL queries with their current ACL token, thereby inheriting their permissions across...

9.1CVSS5.7AI score0.00224EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 6:24 p.m.6 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the query plugin. An attacker can gain unauthorized access to resources belonging to other organizations by executing VQL queries with their current ACL token, thereby inheriting their permissions across...

9.1CVSS5.7AI score0.00224EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 6:24 p.m.6 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the query plugin. An attacker can gain unauthorized access to resources belonging to other organizations by executing VQL queries with their current ACL token, thereby inheriting their permissions across...

9.1CVSS5.7AI score0.00224EPSS
Exploits0References2
FreeBSD
FreeBSD
added 2026/04/12 12:0 a.m.33 views

Vaultwarden -- Multiple vulnerabilities

The Vaultwarden project reports: GHSA-937x-3j8m-7w7p Unconfirmed Owner Can Purge Entire Organization Vault. GHSA-569v-845w-g82p Cross-Org Group Binding Enables Unauthorized Read And Write Access Into Another Organization GHSA-6j4w-g4jh-xjfx Refresh tokens not invalidated on security stamp rotatio...

5.8AI score
Exploits0References1
Rows per page
Query Builder