Lucene search
K

568 matches found

Cvelist
Cvelist
added 3 days ago35 views

CVE-2026-43925 FOSSBilling: Mass assignment of group_id in guest client registration allows unauthorized promo code use

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...

6.9CVSS0.00298EPSS
Exploits0References1
CVE
CVE
added 3 days ago10 views

CVE-2026-43925

FOSSBilling (open-source billing/client management) contains an unauthenticated mass assignment vulnerability in the client self-registration endpoint, prior to version 0.8.0. An attacker can assign themselves to an arbitrary client group during sign-up, potentially bypassing group-restricted pro...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 3 days ago4 views

CVE-2026-43925

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, an unauthenticated mass assignment vulnerability in the client self-registration endpoint allows any visitor to assign themselves to an arbitrary client group during sign-up. Because client groups can...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References2Affected Software1
OSV
OSV
added 3 days ago5 views

GHSA-7JVP-HJ45-2F2M Scriban: Template Writes to Arbitrary CLR Properties via `TypedObjectAccessor` (Mass Assignment + `private` / `init` / `internal` Setter Bypass)

Description When a host pushes a CLR object into a Scriban TemplateContext via the standard, documented pattern — var so = new ScriptObject; so"user" = currentUser; // direct CLR reference context.PushGlobalso; — TypedObjectAccessor exposes every public-getter property for both reading and writin...

8.7CVSS6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 3 days ago6 views

PT-2026-56030

Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description An unauthenticated mass assignment issue exists in the client self-registration endpoint. This allows a visitor to assign themselves to an arbitrary client group during the sign-up process. Since...

6.9CVSS6.1AI score0.00298EPSS
Exploits0References7
NVD
NVD
added 2026/07/02 5:17 p.m.6 views

CVE-2026-50281

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS0.00253EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/02 4:2 p.m.7 views

CVE-2026-50281

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/07/02 4:2 p.m.7 views

EUVD-2026-41409

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/02 4:2 p.m.33 views

CVE-2026-50281 Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites existing elements

Craft CMS is a content management system CMS. Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The...

7.1CVSS0.00253EPSS
Exploits0References2
CVE
CVE
added 2026/07/02 4:2 p.m.14 views

CVE-2026-50281

Craft CMS vulnerability CVE-2026-50281 affects versions 5.7.0 through 5.9.20. A mass-assignment flaw in the bulk-duplicate element action allows an attacker who can duplicate their own entries to submit an arbitrary id via the newAttributes parameter. The duplication flow clones the source elemen...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References2
NVD
NVD
added 2026/07/01 7:16 p.m.6 views

CVE-2026-50160

Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extr...

10CVSS0.0059EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/07/01 5:48 p.m.35 views

CVE-2026-50160 Mass Assignment via Onboarding Endpoint Allows Unauthenticated JWT_SECRET Overwrite

Hoppscotch is an API development ecosystem. In self-hosted deployments of hoppscotch-backend from version 2026.4.1 and earlier, the unauthenticated POST /v1/onboarding/config endpoint is vulnerable to mass assignment. The global NestJS ValidationPipe is configured without whitelist: true, so extr...

10CVSS0.0059EPSS
Exploits1References2
CVE
CVE
added 2026/07/01 5:48 p.m.24 views

CVE-2026-50160

Hoppscotch self-hosted deployments (Hoppscotch-backend

10CVSS6.1AI score0.0059EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/06/26 9:16 p.m.12 views

CVE-2026-54351

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the interna...

9.6CVSS0.00461EPSS
Exploits1References1
CVE
CVE
added 2026/06/26 8:45 p.m.27 views

CVE-2026-54351

Budibase (open-source low-code platform) is affected by CVE-2026-54351 prior to version 3.39.9. A mass assignment vulnerability in externalTrigger() allows an attacker to overwrite the internal appId by including it in the webhook POST body, causing the async automation worker to run in the victi...

9.6CVSS6AI score0.00461EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/06/26 8:45 p.m.27 views

CVE-2026-54351 Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override

Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the interna...

8.2CVSS0.00461EPSS
Exploits1References1
NVD
NVD
added 2026/06/25 4:16 p.m.9 views

CVE-2026-48943

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...

6.5CVSS0.00182EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 3:22 p.m.4 views

EUVD-2026-39438

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...

6.5CVSS6AI score0.00182EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 3:22 p.m.5 views

CVE-2026-48943

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...

6.5CVSS6AI score0.00182EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/25 3:22 p.m.8 views

CVE-2026-48943 Joomla Extension - getk2.org - Authenticated user property mass-assignment in K2 extension for Joomla < 2.26

K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...

5.9AI score0.00182EPSS
Exploits0References1
Rows per page
Query Builder