2405 matches found
Rukovoditel <= 3.2.1 - Cross Site Scripting
A stored cross-site scripting XSS vulnerability in the Global Lists feature /index.php?module=globallists/lists of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter after clicking "Add". id:...
ASUSTOR ADM 3.1.0.RFQ3 - SQL Injection
ASUSTOR ADM version 3.1.0.RFQ3 is vulnerable to SQL injection via the albumid parameter in the /photo-gallery/api/album/treelists/ endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands on the database, potentially leading to information disclosure or further...
CVE-2026-61428
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and...
[SECURITY] Fedora 44 Update: acl-2.4.0-1.fc44
This package contains the getfacl and setfacl utilities needed for manipulating access control lists...
CVE-2026-22659
FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted...
CVE-2026-22659
FlaskBB up to version 2.2.0 is vulnerable to an authorization bypass. The issue arises when an attacker manipulates a batch request with crafted topic ID lists, causing a low-ID topic from a permitted forum to be used as an anchor and bypass the permission check applied only to the first result. ...
CVE-2026-6280
Exposure of sensitive information due to incompatible policies vulnerability in NOMYSOFT Informatics Education and Consulting Inc. Nomysem allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Nomysem: through 08072026. NOTE: The vendor was contacted early about this...
CVE-2026-11340
Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107...
EUVD-2026-42033
Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107...
CVE-2026-11340
Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107...
CVE-2026-11340
CVE-2026-11340 describes a Missing Authorization vulnerability in HAVELSAN’s Liman MYS prior to release.Master.1107, where functionality is accessible without proper ACL constraints. Core issue: access to certain features is not properly constrained by ACLs, enabling unauthorized access. Accordin...
CVE-2026-14474
A flaw was found in SSSD's LDAP sudo provider. When the ldapsudosearchbase option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo...
CVE-2026-11592
The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perfor...
EUVD-2026-41248
The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perfor...
CVE-2026-11592
The CVE-2026-11592 entry concerns the WordPress plugin Email Subscribers & Newsletters (formerly “Email Marketing, Post Notifications & Newsletter”). It describes an authorization bypass vulnerability affecting all versions up to and including 5.9.27. The root cause is that the plugin fails to ve...
EUVD-2026-41087
Incorrect Authorization CWE-863 in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs CAPEC-1. Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to vie...
CVE-2026-53434
A flaw was found in Apache Tomcat. When configuring Certificate Revocation Lists CRLs for a FFM presumably a specific type of connector, the system fails to detect and act upon an error condition. This oversight could lead to unexpected behavior or a security bypass, as the intended security...
DEBIAN-CVE-2026-53434
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version...
CVE-2026-53434
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version...
CVE-2026-53434
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version...