Lucene search
+L

6 matches found

vulnersOsv
vulnersOsv
added 2026/03/19 6:37 p.m.7 views

@kids-reporter/cms-core (>=1.0.17 <=1.0.36), @kids-reporter/draft-editor (>=1.0.19 <=1.0.36) potentially affected by CVE-2025-46720 +1 more via @keystone-6/core (=6.5.1)

@keystone-6/core NPM version =6.5.1 is affected by a known vulnerability. The following packages have a transitive dependency on @keystone-6/core and may be impacted: - @kids-reporter/cms-core =1.0.17, =1.0.19, =1.0.36 Source cves: CVE-2025-46720, CVE-2026-33326 Source advisory:...

4.3CVSS5.4AI score0.00257EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/07 7:14 p.m.20 views

CVE-2025-46720

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

4.3CVSS6.7AI score0.00234EPSS
Exploits0References1
NVD
NVD
added 2025/05/05 7:15 p.m.38 views

CVE-2025-46720

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

4.3CVSS0.00234EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/05/05 6:53 p.m.15 views

CVE-2025-46720 Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

3.1CVSS3.8AI score0.00234EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/05/05 6:53 p.m.40 views

CVE-2025-46720 Keystone has an unintended `isFilterable` bypass that can be used as an oracle to match hidden fields

Keystone is a content management system for Node.js. Prior to version 6.5.0, field.isFilterable access control can be bypassed in update and delete mutations by adding additional unique filters. These filters can be used as an oracle to probe the existence or value of otherwise unreadable fields...

3.1CVSS0.00234EPSS
Exploits0References1
CVE
CVE
added 2025/05/05 6:53 p.m.86 views

CVE-2025-46720

Keystone (Node.js CMS) prior to 6.5.0 has an Access Control Bypass in update/delete mutations: when a where clause uses multiple unique filters, the isFilterable check can be bypassed, enabling inference of hidden field values. The issue is patched in @keystone-6/core v6.5.0. Mitigations from the...

4.3CVSS3.8AI score0.00234EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder