49 matches found
keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement
A flaw was found in Keycloak's Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security...
CVE-2026-42605 AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint POST /api/station/stationid/files/upload is not sanitized for path traversal sequences. When combined with a local filesystem...
@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call
Summary The checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions...
CVE-2026-32712
Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Daily Sales management table. The customername column is configured with escape: false in the bootstrap-tabl...
CVE-2026-27196 Statamic affected by privilege escalation via stored Cross-site Scripting
Statmatic is a Laravel and Git powered content management system CMS. Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that...
GHSA-8R7R-F4GM-WCPQ Statamic affected by privilege escalation via stored cross-site scripting
Impact Stored XSS vulnerability in html fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Patches This has been fixed in 6.3.2 and 5.73.9...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the configFieldItems function. An attacker can execute arbitrary JavaScript in the context of higher-privileged users by injecting malicious scripts as an authenticated user with field management permissions...
Quick Heal Total Security 安全漏洞
Quick Heal Total Security is a antivirus software developed by the Indian company Quick Heal. Version 23.0.0 of Quick Heal Total Security contains a security vulnerability. This vulnerability stems from insufficient validation of restore paths and improper handling of permissions in the isolation...
Insufficient Granularity of Access Control
Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the properties API endpoint. An attacker can access and retrieve the complete list of configurable metadata definitions by sending requests as an authenticated backend user without explicit...
CVE-2025-68437
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...
EUVD-2026-0845
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, the Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter,...
Huawei HarmonyOS 安全漏洞
Huawei HarmonyOS is an operating system from Huawei China. It provides a full-scenario distributed operating system based on a microkernel. A privilege control vulnerability exists in the Huawei HarmonyOS file management module, which can be exploited by an attacker to compromise service...
EUVD-2021-27069
Malware in sbrugna...
EUVD-2021-2173
Malware in sbrugna...
EUVD-2016-4846
Malware in sbrugna...
EUVD-2022-49120
Malicious code in bioql PyPI...
EUVD-2022-29038
Malicious code in bioql PyPI...
CVE-2025-7691
A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access...
CVE-2025-7691 Privilege Defined With Unsafe Actions in GitLab
A privilege escalation issue has been discovered in GitLab EE affecting all versions from 16.6 prior to 18.2.7, 18.3 prior to 18.3.3, and 18.4 prior to 18.4.1 that could have allowed a developer with specific group management permissions to escalate their privileges and obtain unauthorized access...
PT-2025-39627
Name of the Vulnerable Software and Affected Versions GitLab EE versions 16.6 through 18.2.6 GitLab EE versions 18.3 through 18.3.2 GitLab EE versions 18.4 through 18.4.0 Description A privilege escalation issue exists in GitLab EE. A developer possessing specific group management permissions may...