Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Boards API when file ownership and access control are not properly validated. An attacker can gain unauthorized access to and download files belonging to other users or teams by...

CVE-2026-40189 goshs has a file-based ACL authorization bypass in goshs state-changing routes

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload...

CVE-2026-0977

IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls...

Users can modify tags on files that do not belong to them

None...

EUVD-2018-5970

Malware in sbrugna...

EUVD-2006-3825

Malware in sbrugna...

EUVD-2007-5713

Malware in sbrugna...

EUVD-2011-4153

Malware in sbrugna...

EUVD-2019-19363

Malware in sbrugna...

EUVD-2020-26991

Malware in sbrugna...

EUVD-2021-31888

Malicious code in bioql PyPI...

EUVD-2023-0344

Malicious code in bioql PyPI...

EUVD-2020-7873

Malicious code in bioql PyPI...

DOS & CO SS1 安全漏洞

DOS & CO SS1 is an asset management tool from DOS & CO Japan. A security vulnerability exists in DOS & CO SS1 Ver.16.0.0.10 and earlier versions, which stems from improper file or directory access control and could lead to remote unauthorized access...

CVE-2024-52514

Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files...

Vite's server.fs.deny bypassed with /. for files under project root

Summary The contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Only files that are under project root and a...

CVE-2019-25215 ARI-Adminer <= 1.1.14 - Missing Authorization and No Direct File Access Restrictions

The ARI-Adminer plugin for WordPress is vulnerable to authorization bypass due to a lack of file access controls in nearly every file of the plugin in versions up to, and including, 1.1.14. This makes it possible for unauthenticated attackers to call the files directly and perform a wide variety ...

WordPress plugin ARI-Adminer 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability...

CVE-2024-41905

A vulnerability has been identified in SINEC Traffic Analyzer 6GK8822-1BG01-0BA0 All versions V2.0. The affected application do not have access control for accessing the files. This could allow an authenticated attacker with low privilege's to get access to sensitive information...

CVE-2024-27456

rack-cors aka Rack CORS Middleware 2.0.1 has 0666 permissions for the .rb files...