Lucene search
K

12321 matches found

Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.9 views

PT-2026-52778

Name of the Vulnerable Software and Affected Versions Teable affected versions not specified Description The v2 REST API controller lacks @Permissions metadata on ORPC endpoints, which enables authenticated users to bypass authorization checks. This allows unauthorized reading of table schemas,...

8.8CVSS5.8AI score0.00371EPSS
Exploits0References6
NVD
NVD
added 2026/06/25 8:17 p.m.12 views

CVE-2026-57520

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS0.00277EPSS
Exploits1References5
NVD
NVD
added 2026/06/25 7:16 p.m.10 views

CVE-2026-54097

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link...

7.2CVSS0.00411EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/25 7:8 p.m.5 views

EUVD-2026-39541

Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin...

7.1CVSS5.9AI score0.00277EPSS
Exploits1References5
OSV
OSV
added 2026/06/25 6:26 p.m.4 views

GO-2026-5159 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix in github.com/filebrowser/filebrowser

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix in github.com/filebrowser/filebrowser...

7.2CVSS5.8AI score0.00411EPSS
Exploits0References3
CVE
CVE
added 2026/06/25 5:40 p.m.20 views

CVE-2026-54097

Summary of CVE-2026-54097 (File Browser) : A low-privileged authenticated user with create/delete permissions within their own scope could trigger deletion of other users’ share links by performing a DELETE on a file whose logical path is a byte-prefix of another user’s share.Link.Path. The backe...

7.2CVSS5.8AI score0.00411EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/25 5:32 p.m.18 views

CVE-2026-55667 File Browser: Out-of-scope file deletion by a Create-only scoped user via symlink-following RemoveAll in upload failure-cleanup

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope other tenants' data, a...

8.2CVSS0.00359EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 5:16 p.m.6 views

CVE-2026-54029

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any other user's messages. The validateMessageReq middleware only validates that the conversationId...

6.5CVSS0.00159EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/25 4:52 p.m.19 views

CVE-2026-50015 pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm's patch application pipeline @pnpm/patch-package performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or...

7.3CVSS0.0027EPSS
Exploits1References1
CVE
CVE
added 2026/06/25 3:51 p.m.7 views

CVE-2026-54029

CVE-2026-54029 affects LibreChat prior to 0.8.4-rc1. The bug is in the DELETE /api/messages/:conversationId/:messageId endpoint where authentication validates the conversationId but the deleteMessages({ messageId }) call uses only messageId as the MongoDB filter, omitting a user constraint. As a ...

6.5CVSS5.9AI score0.00159EPSS
Exploits1References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/06/25 3:25 p.m.6 views

CVE-2026-48941

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete call under /media/k2/galleries/...

6.5CVSS5.8AI score0.00159EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 3:25 p.m.5 views

CVE-2026-48941

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete call under /media/k2/galleries/...

6.5CVSS5.8AI score0.00159EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/25 3:25 p.m.31 views

CVE-2026-48941 Joomla Extension - getk2.org - Unauthenticated folder delete in K2 extension for Joomla < 2.26

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete call under /media/k2/galleries/...

0.00159EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 3:25 p.m.4 views

EUVD-2026-39443

The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete call under /media/k2/galleries/...

6.5CVSS5.8AI score0.00159EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 9:31 a.m.7 views

EUVD-2026-39186

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records...

6.5CVSS5.8AI score0.00164EPSS
Exploits0References2
CVE
CVE
added 2026/06/25 6:0 a.m.14 views

CVE-2026-10824

The Masteriyo LMS WordPress plugin, version before 2.2.1, has missing authorization checks in the course-progress REST API controller. This allows unauthenticated users to read and permanently delete any user’s course-progress records. The vulnerability is caused by insufficient access control in...

6.5CVSS5.8AI score0.00164EPSS
Exploits0References1
Nuclei
Nuclei
added 2026/06/25 1:31 a.m.51 views

Grafana Snapshot - Authentication Bypass

Grafana instances up to 7.5.11 and 8.1.5 allow remote unauthenticated users to view the snapshot associated with the lowest database key by accessing the literal paths /api/snapshot/:key or /dashboard/snapshot/:key. If the snapshot is in public mode, unauthenticated users can delete snapshots by...

9.8CVSS6.9AI score0.99888EPSS
Exploits1References5
EUVD
EUVD
added 2026/06/25 12:33 a.m.5 views

EUVD-2025-210331

A use-after-free in the gffilterpidinstswapdeletetask function /filtercore/filterpid.c of GPAC Project/MP4Box before 26.02.0 allows attackers to cause a Denial of Service DoS via supplying a crafted media file...

7.5CVSS5.9AI score0.0051EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.13 views

PT-2026-52574

Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.5.0 Description An issue exists where authenticated Custom users with the ManageUsers permission can escalate privileges to remove Admin accounts from an organization. This occurs due to a missing role...

7.1CVSS5.8AI score0.00277EPSS
Exploits1References8
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.6 views

PT-2026-52626

Name of the Vulnerable Software and Affected Versions Cacti versions prior to 1.2.31 Description An issue exists in the performance and fault management framework where improper handling of deserialized data leads to SQL Injection. In the 'managers.php' file, the application processes the selecte...

7.2CVSS5.9AI score0.00279EPSS
Exploits1References10
Rows per page
Query Builder