Lucene search
+L

10350 matches found

Cvelist
Cvelist
added 2026/07/08 1:30 p.m.31 views

CVE-2026-60124 MISP importModule missing authorization allows read-only users to modify events via misp_standard imports

An authorization bypass in MISP’s EventsController::importModule allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the mispstandard format, the write path did not verify eve...

5.3CVSS0.0022EPSS
Exploits0References1
CVE
CVE
added 2026/07/08 1:30 p.m.8 views

CVE-2026-60124

The CVE-2026-60124 in MISP concerns an authorization bypass in EventsController::importModule(). When an import module returns results in the misp_standard format, the write path failed to verify event modification rights, allowing authenticated users or read-only API keys with event view access ...

5.3CVSS6AI score0.0022EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/08 1:30 p.m.5 views

EUVD-2026-42239

An authorization bypass in MISP’s EventsController::importModule allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the mispstandard format, the write path did not verify eve...

5.3CVSS6AI score0.0022EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/08 1:30 p.m.6 views

CVE-2026-60124

An authorization bypass in MISP’s EventsController::importModule allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the mispstandard format, the write path did not verify eve...

5.3CVSS6AI score0.0022EPSS
Exploits0References2
OSV
OSV
added 2026/07/08 1:30 p.m.4 views

CVE-2026-60124 MISP importModule missing authorization allows read-only users to modify events via misp_standard imports

An authorization bypass in MISP’s EventsController::importModule allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the mispstandard format, the write path did not verify eve...

5.3CVSS6.1AI score0.0022EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/08 1:23 p.m.5 views

EUVD-2026-42235

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS5.9AI score0.00388EPSS
Exploits0References2
CVE
CVE
added 2026/07/08 1:23 p.m.14 views

CVE-2026-54061

Dgraph Alpha before version 25.3.5 exposes the RPCs for external snapshot import on the public gRPC port :9080 without authentication or authorization, allowing an unauthenticated network client to open StreamExtSnapshot and stream Badger data to the target group’s store. The receiver invokes Pre...

9.1CVSS5.9AI score0.00388EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/08 1:23 p.m.31 views

CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS0.00388EPSS
Exploits0References2
OSV
OSV
added 2026/07/08 1:23 p.m.5 views

CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS6.1AI score0.00388EPSS
Exploits0References4
NVD
NVD
added 2026/07/08 6:16 a.m.9 views

CVE-2026-12097

The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the plugin's...

5.3CVSS0.00255EPSS
Exploits0References5
CVE
CVE
added 2026/07/08 5:34 a.m.17 views

CVE-2026-12097

The CVE covers the WordPress User Management plugin (versions up to and including 1.2). Affected component: the plugin’s authorization flow; root cause is improper verification of a user’s permission, enabling an authorization bypass. Impact: unauthenticated attackers can modify the plugin’s expo...

5.3CVSS5.9AI score0.00255EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.8 views

PT-2026-56423

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.5 Description Dgraph Alpha exposes privileged RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. An unauthenticated network client can access the...

9.1CVSS6.1AI score0.00388EPSS
Exploits0References7
NVD
NVD
added 2026/07/07 5:16 p.m.12 views

CVE-2026-23698

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents...

8.6CVSS0.00867EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2026/07/07 4:10 p.m.7 views

CVE-2026-23698

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents...

8.6CVSS6.7AI score0.00867EPSS
Exploits2References4
EUVD
EUVD
added 2026/07/07 4:10 p.m.6 views

EUVD-2026-42054

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents...

8.6CVSS6.7AI score0.00867EPSS
Exploits2References3
CVE
CVE
added 2026/07/07 4:10 p.m.14 views

CVE-2026-23698

Vtiger CRM up to 8.4.0 is affected by an authenticated remote code execution vulnerability in the admin ModuleManager import feature. A privileged administrator can upload a crafted ZIP archive which is extracted directly into the web root’s modules/ directory without proper file-type validation ...

8.6CVSS6.7AI score0.00867EPSS
Exploits2References3
Vulnrichment
Vulnrichment
added 2026/07/07 4:10 p.m.8 views

CVE-2026-23698 Vtiger CRM 8.4.0 Authenticated RCE via Module Import File Upload

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents...

8.6CVSS6.7AI score0.00867EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/07/07 4:10 p.m.31 views

CVE-2026-23698 Vtiger CRM 8.4.0 Authenticated RCE via Module Import File Upload

Vtiger CRM through 8.4.0 contains an authenticated remote code execution vulnerability in the admin module import feature that allows administrator-level attackers to upload arbitrary PHP files by submitting a crafted zip archive through the ModuleManager import function, which extracts contents...

8.6CVSS0.00867EPSS
Exploits2References3
OSV
OSV
added 2026/07/07 11:45 a.m.5 views

PYSEC-2026-1142 Airflow Sqoop Provider RCE Vulnerability

Apache Airflow Sqoop Provider, versions before 4.0.0, is affected by a vulnerability that allows an attacker pass parameters with the connections, which makes it possible to implement RCE attacks via ‘sqoop import --connect’, obtain airflow server permissions, etc. The attacker needs to be logged...

8.8CVSS7.1AI score0.01206EPSS
Exploits0References6
OSV
OSV
added 2026/07/07 10:17 a.m.4 views

PYSEC-2026-1015 TensorFlow vulnerable to assertion fail on MLIR empty edge names

Impact When mlir::tfg::ConvertGenericFunctionToFunctionDef is given empty function attributes, it crashes. cpp // We pre-allocate the array of operands and populate it using the // outputnametoposition and controloutputtoposition populated // previously. SmallVector retvalsfunc.retsize +...

5.9CVSS5.9AI score0.00567EPSS
Exploits0References8
Rows per page
Query Builder