3432 matches found
CVE-2026-5269
In Ciena's Navigator Network Control Suite NCS and Manage Control Plan MCP, there are hidden system accounts used for internal software operations. Some of these accounts have default passwords that may be predictable. While these accounts have very limited permissions on their own, an attacker...
CVE-2026-5269
Technical details about CVE-2026-5269 are not publicly available in the provided documents; no affected product versions, exploit information, or remediation specifics are included. Monitor for updates.
CVE-2026-5269 Navigator NCS and MCP System Accounts with Default Passwords
In Ciena's Navigator Network Control Suite NCS and Manage Control Plan MCP, there are hidden system accounts used for internal software operations. Some of these accounts have default passwords that may be predictable. While these accounts have very limited permissions on their own, an attacker...
CVE-2026-5270 Authentication Bypass in Navigator and Blue Planet Products
An authentication bypass vulnerability exists in certain releases of Ciena Navigator Network Control Suite NCS, Manage Control Plan MCP, and Blue Planet products. The issue is caused by improper handling of HTTP request paths and headers, which allows an unauthenticated attacker to manipulate...
Atlassian Jira <7.13.3/8.0.0-8.1.1 - Incorrect Authorization
Atlasssian Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 is susceptible to incorrect authorization. The ManageFilters.jspa resource allows a remote attacker to enumerate usernames via an incorrect authorization check, thus possibly obtaining sensitive information, modifyi...
Oracle E-Business Suite <=12.2 - Authentication Bypass
Oracle E-Business Suite component: Manage Proxies 12.1 and 12.2 are susceptible to an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise it by self-registering for an account. Successful attacks of this vulnerability can result in...
CVE-2026-12994 WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Missing Authorization to Unauthenticated Arbitrary Inquiry Reply Injection via wcfm-my-account-enquiry-manage Controller
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacker...
[SECURITY] Fedora 43 Update: k9s-0.51.0-2.fc43
Kubernetes CLI To Manage Your Clusters In Style!...
CVE-2026-9842
The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the manageoptions capability to the backstagecustomizeruser demo role, which is more permissive than necessary for...
CVE-2026-9842 Backstage <= 1.4.2 - Unauthenticated Privilege Escalation via Permissive Demo Role Capabilities
The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the manageoptions capability to the backstagecustomizeruser demo role, which is more permissive than necessary for...
CVE-2026-9842
The CVE-2026-9842 entry concerns the Backstage - Customizer Demo Access plugin for WordPress (up to version 1.4.2). The root cause is that the plugin assigns the manage_options capability to the backstage_customizer_user demo role, which is more permissive than required for a Demo Access/Customiz...
CVE-2026-55633 DataEase H2 RCE via Zip Protocol & File Dropper Fix bypass
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a bypass of the H2 zip protocol and file dropper fix allows an authenticated attacker to upload a zip archive disguised with a .ttf extension through FontManage.saveFile and then exploit it through the zip protocol...
PYSEC-2026-763 Zope Cross-site scripting (XSS) vulnerability in ZMI pages
Cross-site scripting XSS vulnerability in ZMI pages that use the managetabsmessage in Zope 2.11.4, 2.11.2, 2.10.9, 2.10.7, 2.10.6, 2.10.5, 2.10.4, 2.10.2, 2.10.1, 2.12...
PYSEC-2026-735 Improper Restriction of XML External Entity Reference in Plone
Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata therefore, only available to the Manager role...
CVE-2026-9106
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the managerunners:org scope and directing ...
CVE-2026-9106
The CVE-2026-9106 issue concerns GitHub Enterprise Server where a UI misrepresentation allowed an OAuth app to gain unauthorized access to an organization’s runner management. A victim could be tricked into authorizing an app requesting the manage_runners:org scope because the scope was not shown...
CVE-2026-9106
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the managerunners:org scope and directing ...
CVE-2026-9106 UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the managerunners:org scope and directing ...
EUVD-2026-40407
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the managerunners:org scope and directing ...
CVE-2026-4629
A flaw was found in Keycloak. A highly privileged user with manage-clients permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the realm-admin role into generated tokens,...