Lucene search
+L

849 matches found

cvelist
cvelist
added yesterday22 views

CVE-2026-59235 Missing authorization in Prospero Flow CRM allows low-privileged users to read all bank accounts

Missing Authorization CWE-862 in BankAccountListController app/Http/Controllers/Api/BankAccount/BankAccountListController.php, exposed at GET /api/bank-account, in Prospero Flow CRM companyid-get, performing only company scoping and no role or permission check before returning the data. This...

8.7CVSS
Exploits0References3
cvelist
cvelist
added 2 days ago33 views

CVE-2026-15641

Improper authorization in the access request status endpoint in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to approve their own pending access request via a direct call to the request status endpoint, bypassing the required approver review...

0.0015EPSS
Exploits0References1
cvelist
cvelist
added 2 days ago31 views

CVE-2026-15637

Improper authorization in the PAM SSH key and certificate retrieval endpoints in Devolutions Server 2026.2.11, 2026.1.22 allows an authenticated low-privileged user to disclose the private key of an SSH key or certificate PAM credential via a direct object reference to the credential identifier...

0.00096EPSS
Exploits0References1
cvelist
cvelist
added 3 days ago36 views

CVE-2026-58410 ChurchCRM: Improper object-level authorization allows low-privileged users to read and modify other families’ records

ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another...

7.1CVSS0.00174EPSS
Exploits0References1
cve
cve
added 3 days ago6 views

CVE-2026-58408

ChurchCRM prior to version 7.4.0 exposes a CSV export endpoint that leaks full PII of every Person/Family. The POST /CSVCreateFile.php export is gated only by a coarse admin permission check and lacks a dedicated isAdmin/owner authorization, allowing any user with non-admin flags to trigger a bul...

6.5CVSS6.1AI score0.00217EPSS
Exploits0References1
nvd
nvd
added 2026/07/08 3:16 p.m.7 views

CVE-2026-55873

SeaweedFS is a distributed storage system. In versions 4.08 through 4.33, requests signed with SigV4 service s3tables are routed to the S3Tables management API where authorization collapses account-less S3 identities into the shared admin account and fails open, allowing an authenticated...

4.3CVSS0.00199EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/07/08 7:36 a.m.9 views

CVE-2026-57239

The user-controllable executable files will be directly executed by high-privilege processes, allowing low-privilege users to have the opportunity to elevate their privileges to NT AUTHORITY\SYSTEM...

8.2CVSS6AI score0.00115EPSS
Exploits0References2Affected Software2
cve
cve
added 2026/07/04 12:5 p.m.22 views

CVE-2026-12196

The CVE-2026-12196 entry describes a broken access control vulnerability in the HestiaCP panel cronjob feature. Low-privilege users can modify the panel cronjob to execute management scripts with passwordless sudo, enabling takeover of administrator users in the application and the underlying web...

8.3CVSS6AI score0.00256EPSS
Exploits0References2
nvd
nvd
added 2026/07/02 3:17 p.m.10 views

CVE-2026-9272

In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System ADS may send specially crafted requests that could result in unauthorized access to application data and its...

8.7CVSS0.00247EPSS
Exploits0References1
cvelist
cvelist
added 2026/07/02 2:2 p.m.38 views

CVE-2026-9272 Possibility of unintended database operations when querying data related to detected anomalies in Progress Flowmon ADS

In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System ADS may send specially crafted requests that could result in unauthorized access to application data and its...

8.7CVSS0.00247EPSS
Exploits0References1
cve
cve
added 2026/07/02 2:2 p.m.24 views

CVE-2026-9272

CVE-2026-9272 affects Progress Flowmon ADS prior to 12.5.6 and 13.0.5. An adversary authenticated as a low-privileged ADS user can send specially crafted requests that lead to unauthorized access to and modification of application data. The CVE’s metrics indicate HIGH impact on confidentiality, i...

8.7CVSS5.8AI score0.00247EPSS
Exploits0References1Affected Software1
cve
cve
added 2026/07/01 11:31 p.m.16 views

CVE-2026-50279

Craft CMS (versions 5.0.0-RC1 through 5.9.20) contains an authorization gap in EntriesController::actionSaveEntry where entry-edit checks precede author changes. The code path allows attacker-supplied authors to mutate the authors list when the current user is among the old authors, without re-ru...

7.6CVSS5.7AI score0.00245EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/07/01 4:32 p.m.8 views

CVE-2026-56152

Incorrect Authorization CWE-863 in Elastic Defend can lead to unauthorized information disclosure via Accessing Functionality Not Properly Constrained by ACLs CAPEC-1. Under certain conditions, a low-privileged authenticated user can access response action data that they are not authorized to vie...

5.3CVSS5.8AI score0.00181EPSS
Exploits0References2Affected Software1
ptsecurity
ptsecurity
added 2026/07/01 12:0 a.m.8 views

PT-2026-54831

Name of the Vulnerable Software and Affected Versions MCO version 25.3.3.1 Description Insufficient authorization enforcement occurs in the '/customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure' endpoint. This allows an authenticated user with low privileges to retrieve...

7.1CVSS5.8AI score0.00183EPSS
Exploits0References7
cve
cve
added 2026/06/26 1:11 a.m.22 views

CVE-2026-50739

Revive Adserver 6.0.7 and earlier expose a bypass of ownership validation in the reverse operation that links campaigns and trackers via tracker-campaigns.php. A low-privilege user could link their trackers to campaigns owned by other managers on the same instance, causing inconsistent ownership ...

4.3CVSS5.8AI score0.00287EPSS
Exploits1References1Affected Software1
cve
cve
added 2026/06/21 1:27 p.m.18 views

CVE-2026-56385

Craft CMS suffers an authorization bypass in the assets/preview-file endpoint. Versions affected: 5.0.0-RC1–5.9.13 and 4.0.0-RC1–4.17.7. An authenticated low-privileged user can supply an assetId for an asset they should not view and still receive preview data (previewHtml), including a private p...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References3
nvd
nvd
added 2026/06/17 6:17 p.m.13 views

CVE-2026-20265

In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin" or "power" Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a server that an attacker controls, which could allow for data exfiltration. The vulnerability exists...

4.3CVSS0.00217EPSS
Exploits0References1
nvd
nvd
added 2026/06/17 3:16 p.m.13 views

CVE-2026-10850

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

6.9CVSS0.00165EPSS
Exploits1References2
osv
osv
added 2026/06/16 7:16 p.m.5 views

ALPINE-CVE-2026-4367

A flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the xpmNextWord function by processing a specially crafted or very small XPM X PixMap image file. This improper validation of file boundaries can cause an internal pointer to read...

5.5CVSS4.7AI score0.00129EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/16 12:0 a.m.25 views

PT-2026-50030

🚨 CVE-2026-46926 Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM component: Siebel Cloud Manager. Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM...

8.8CVSS5.9AI score0.0012EPSS
Exploits0References3
Rows per page
Query Builder