Lucene search
+L

608 matches found

cve
cve
added yesterday5 views

CVE-2026-56679

9Router (AI router & token saver) contains a mass-assignment vulnerability in PATCH /api/settings prior to version 0.5.4. The endpoint writes the entire request body to persistent settings without a field whitelist, enabling an authenticated user to modify security-critical fields such as require...

8.7CVSS6.1AI score
Exploits0References1
cvelist
cvelist
added yesterday25 views

CVE-2026-56679 9Router: Mass assignment in PATCH /api/settings allows authenticated authorization downgrade

9Router is an AI router & token saver. Prior to 0.5.4, the PATCH /api/settings endpoint writes the entire request body to persistent settings without a field whitelist, allowing an authenticated user to set security-critical fields such as requireLogin and disable authentication for the whole...

8.7CVSS
Exploits0References1
cve
cve
added 2 days ago4 views

CVE-2026-58477

SIP (Sustainable Irrigation Platform) up to version 5.2.16 contains a mass assignment flaw where the value-setting interface copies every HTTP parameter into internal settings without whitelisting. This enables unauthenticated attackers to overwrite sensitive configuration such as the passphrase ...

8.8CVSS6.1AI score0.00357EPSS
Exploits2References2Affected Software1
nvd
nvd
added 6 days ago8 views

CVE-2026-54329

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...

8.5CVSS0.00389EPSS
Exploits0References5
cvelist
cvelist
added 6 days ago31 views

CVE-2026-54329 Snipe-IT: Cross-Tenant Accessory Injection in Snipe-IT API

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...

8.5CVSS0.00389EPSS
Exploits0References5
euvd
euvd
added 6 days ago7 views

EUVD-2026-42982

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...

8.5CVSS6.1AI score0.00389EPSS
Exploits0References5
osv
osv
added 6 days ago6 views

CVE-2026-54329 Snipe-IT: Cross-Tenant Accessory Injection in Snipe-IT API

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...

8.5CVSS6.1AI score0.00389EPSS
Exploits0References7
cve
cve
added 6 days ago21 views

CVE-2026-54329

Summary: CVE-2026-54329 affects Snipe-IT before 8.6.2, where the Accessories API can mass-assign the company_id field, enabling a low-privilege user in one company (with FMCS enabled) to create accessory records under another company. Root cause: API create path mass-assigns request parameters di...

8.5CVSS6.1AI score0.00389EPSS
Exploits0References5Affected Software1
cvelist
cvelist
added 2026/07/06 9:41 p.m.36 views

CVE-2026-43925 FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized promo code use

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...

6.9CVSS0.00298EPSS
Exploits0References1
cve
cve
added 2026/07/06 9:41 p.m.11 views

CVE-2026-43925

FOSSBilling (open-source billing/client management) contains an unauthenticated mass assignment vulnerability in the client self-registration endpoint, prior to version 0.8.0. An attacker can assign themselves to an arbitrary client group during sign-up, potentially bypassing group-restricted pro...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/07/06 9:41 p.m.7 views

CVE-2026-43925

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/07/06 9:41 p.m.4 views

CVE-2026-43925 FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized promo code use

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References3
osv
osv
added 2026/07/06 5:30 p.m.8 views

GHSA-7JVP-HJ45-2F2M Scriban: Template Writes to Arbitrary CLR Properties via `TypedObjectAccessor` (Mass Assignment + `private` / `init` / `internal` Setter Bypass)

Description When a host pushes a CLR object into a Scriban TemplateContext via the standard, documented pattern — var so = new ScriptObject; so"user" = currentUser; // direct CLR reference context.PushGlobalso; — TypedObjectAccessor exposes every public-getter property for both reading and writin...

8.7CVSS6AI score
Exploits0References2
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.6 views

PT-2026-56030

Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description An unauthenticated mass assignment issue exists in the client self-registration endpoint. This allows a visitor to assign themselves to an arbitrary client group during the sign-up process. Since...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References7
nvd
nvd
added 2026/07/02 5:17 p.m.8 views

CVE-2026-50281

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS0.00253EPSS
Exploits0References2
cve
cve
added 2026/07/02 4:2 p.m.23 views

CVE-2026-50281

Craft CMS vulnerability CVE-2026-50281 affects versions 5.7.0 through 5.9.20. A mass-assignment flaw in the bulk-duplicate element action allows an attacker who can duplicate their own entries to submit an arbitrary id via the newAttributes parameter. The duplication flow clones the source elemen...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References2
cvelist
cvelist
added 2026/07/02 4:2 p.m.37 views

CVE-2026-50281 Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites existing elements

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS0.00253EPSS
Exploits0References2
euvd
euvd
added 2026/07/02 4:2 p.m.7 views

EUVD-2026-41409

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/07/02 4:2 p.m.8 views

CVE-2026-50281

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References3Affected Software1
osv
osv
added 2026/07/02 4:2 p.m.5 views

CVE-2026-50281 Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites existing elements

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS6AI score0.00253EPSS
Exploits0References4
Rows per page
Query Builder