Lucene search
K

27 matches found

Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-55460 Snipe-IT: Authorization bypass on bulk editing users

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with deleteuser=1 because BulkUsersController::destroy authorizes only update, allowing the user to...

7.1CVSS0.00285EPSS
Exploits1References3
CVE
CVE
added 5 days ago6 views

CVE-2026-55460

CVE-2026-55460 affects Snipe-IT (IT asset/license management system). Before version 8.6.2, an authenticated non-admin user who had rights users.view and users.edit but not users.delete could directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorized onl...

7.1CVSS6.1AI score0.00285EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/09 2:21 a.m.9 views

CVE-2026-41903

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERMEDITUSERS permission intended for general user-profile editing can read and modify the notification subscriptions of any other user, including admins, by sending a...

5.4CVSS5.8AI score0.00262EPSS
Exploits0References1
NVD
NVD
added 2026/05/07 7:16 p.m.9 views

CVE-2026-41903

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERMEDITUSERS permission intended for general user-profile editing can read and modify the notification subscriptions of any other user, including admins, by sending a...

5.4CVSS0.00262EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/07 6:2 p.m.34 views

CVE-2026-41903 FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifying any user's notification subscriptions (incomplete fix of CVE-2025-48472)

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERMEDITUSERS permission intended for general user-profile editing can read and modify the notification subscriptions of any other user, including admins, by sending a...

5.4CVSS0.00262EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/07 6:2 p.m.6 views

CVE-2026-41903

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERMEDITUSERS permission intended for general user-profile editing can read and modify the notification subscriptions of any other user, including admins, by sending a...

8.1CVSS5.8AI score0.00351EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/05/07 6:2 p.m.20 views

CVE-2026-41903

CVE-2026-41903 affects FreeScout (Laravel-based). Before 1.8.217, a user with PERM_EDIT_USERS can read/modify any user’s notification subscriptions via a single POST, including admins, enabling silent disabling of email/browser/mobile alerts and related notices. This is a continuation of CVE-2025...

5.4CVSS5.8AI score0.00262EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/11/19 9:10 a.m.19 views

CVE-2025-11620

The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpuaddmultiplerolesui' and 'mrpusavemultipleuserroles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated...

7.2CVSS5.1AI score0.00322EPSS
Exploits0References1
EUVD
EUVD
added 2025/11/18 8:27 a.m.6 views

EUVD-2025-197949

The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpuaddmultiplerolesui' and 'mrpusavemultipleuserroles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated...

7.2CVSS4.7AI score0.00322EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/11/18 8:27 a.m.9 views

CVE-2025-11620 Multiple Roles per User <= 1.0 - Missing Authorization to Authenticated (Custom+) Privilege Escalation

The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpuaddmultiplerolesui' and 'mrpusavemultipleuserroles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated...

7.2CVSS0.00322EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/11/18 8:27 a.m.4 views

CVE-2025-11620 Multiple Roles per User <= 1.0 - Missing Authorization to Authenticated (Custom+) Privilege Escalation

The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpuaddmultiplerolesui' and 'mrpusavemultipleuserroles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated...

7.2CVSS4.8AI score0.00322EPSS
Exploits0References3
CVE
CVE
added 2025/11/18 8:27 a.m.25 views

CVE-2025-11620

CVE-2025-11620 concerns the WordPress plugin Multiple Roles per User where a missing capability check on the functions mrpu_add_multiple_roles_ui and mrpu_save_multiple_user_roles in all versions up to 1.0 allows authenticated attackers with the edit_users capability to modify any user’s role (e....

7.2CVSS4.8AI score0.00322EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2025/11/18 12:0 a.m.7 views

PT-2025-47251

Name of the Vulnerable Software and Affected Versions Multiple Roles per User plugin for WordPress versions up to and including 1.0 Description The Multiple Roles per User plugin for WordPress has a flaw that allows unauthorized data modification. This is due to a missing capability check within...

7.2CVSS6.1AI score0.00322EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2015-3291

Malware in sbrugna...

6CVSS6.1AI score0.01645EPSS
Exploits0References6
CNNVD
CNNVD
added 2024/09/25 12:0 a.m.5 views

WordPress plugin Uncanny Groups for LearnDash 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

7.2CVSS6.5AI score0.01164EPSS
Exploits1References3
OSV
OSV
added 2024/04/09 7:15 p.m.5 views

CVE-2024-1852

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

6.1CVSS6AI score0.00675EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2024/04/09 6:58 p.m.17 views

CVE-2024-1852 WP-Members Membership Plugin <= 3.4.9.2 - Unauthenticated Stored Cross-Site Scripting

The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

7.2CVSS7.4AI score0.00675EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2024/04/02 12:0 a.m.9 views

PT-2024-18363 · WordPress · Wp-Members Membership Plugin

Name of the Vulnerable Software and Affected Versions: WP-Members Membership Plugin versions prior to 3.4.9.3 Description: The WP-Members Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header due to insufficient input sanitization and output...

7.2CVSS8.3AI score0.00675EPSS
Exploits0References9
Prion
Prion
added 2022/12/15 7:15 p.m.21 views

Cross site scripting

Cross Site Scripting XSS vulnerability in Users.php in eyoucms 1.5.4 allows remote attackers to run arbitrary code and gain escalated privilege via the filename for editusersheadpic...

4.9CVSS5.8AI score0.00533EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2020/12/28 10:15 p.m.5 views

CVE-2020-13474

In NCH Express Accounts 8.24 and earlier, an authenticated low-privilege user can enter a crafted URL to access higher-privileged functionalities such as Add/Edit users...

6.5CVSS6.6AI score0.00746EPSS
Exploits1References2
Rows per page
Query Builder