Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key because the create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management in PATCH /api/v3/core/users/pk/. An attacker can gain elevated privileges by assigning arbitrary groups, including those with administrator-equivalent permissions, to users they control or have access to,...

CVE-2026-40172

authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...

EUVD-2026-30857

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...

CVE-2026-46721 Broken Access Control in extension "Frontend User Registration" (sf_register)

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...

CVE-2026-46721

Summary (CVE-2026-46721): The issue is in the TYPO3 extension “Frontend User Registration” (sf_register). The create/edit flows allow submitting arbitrary user properties and do not enforce frontend access control on user-group assignment, enabling an attacker to assign any frontend user group to...

Placement of User into Incorrect Group

Overview github.com/ubuntu/authd/internal/users is an authentication daemon for external Broker Affected versions of this package are vulnerable to Placement of User into Incorrect Group in the process responsible for assigning primary group IDs when a user's primary group ID differs from their...

CVE-2026-25040

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or Ap...

CVE-2026-25040

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or Ap...

EUVD-2026-4950

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or Ap...

EUVD-2016-9902

Malware in sbrugna...

EUVD-2020-24744

Malware in sbrugna...

EUVD-2023-41385

Malicious code in bioql PyPI...

CVE-2023-37498

A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator. It is possible that an attacker could potentially escalate their privileges...

HCL Unica Platform Security Vulnerability

HCL Technologies HCL Unica Platform is a state-of-the-art enterprise automated marketing platform from HCL Technologies, USA. No manual effort is required to handle routine marketing tasks and capture the most effective leads. A security vulnerability exists in HCL Unica Platform versions prior t...

PT-2023-25995 · Hcl +1 · Hcl Unica Platform +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned. Description: A user can assign themselves to arbitrary groups by reusing a POST request issued by an administrator, potentially allowing an attacker to escalate their privileges. Recommendations...

CVE-2023-27310

Siemens RUGGEDCOM CROSSBOW (all versions prior to V5.2) contains a missing-authorization vulnerability in the client query handler: when assigning groups to user accounts, it does not properly enforce permissions, potentially allowing an authenticated remote attacker to elevate privileges by addi...

PT-2022-6796 · Ceph +5 · Ceph +5

Name of the Vulnerable Software and Affected Versions: Ceph affected versions not specified Description: A privilege escalation flaw was found in Ceph, specifically in the Ceph-crash.service component. This issue allows a local attacker to escalate privileges to root in the form of a crash dump,...

Samba 3.0.25 <= 3.0.25c Vulnerability (CVE-2007-4138)

Incorrect primary group assignment domain users using the rfc2307 or sfu winbind nss info plugin. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...

CVE-2020-3530

A vulnerability in task group assignment for a specific CLI command in Cisco IOS XR Software could allow an authenticated, local attacker to execute that command, even though administrative privileges should be required. The attacker must have valid credentials on the affected device. The...