Lucene search
K

568 matches found

EUVD
EUVD
added 2026/06/20 3:24 p.m.10 views

EUVD-2026-38119

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password has...

6CVSS5.9AI score0.00251EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/20 12:0 a.m.13 views

PT-2026-51151

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the 'PUT /api/v1/user' endpoint. This allows authenticated users to modify the credential field without proper validation. By providing a crafted password hash, an...

6CVSS5.9AI score0.00251EPSS
Exploits0References9
NVD
NVD
added 2026/06/12 8:16 p.m.11 views

CVE-2026-54361

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

8.8CVSS0.00262EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 8:16 p.m.14 views

CVE-2026-54360

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS0.00226EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 7:59 p.m.34 views

CVE-2026-54361

CVE-2026-54361 affects MISP and stems from mass assignment flaws in collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should be server-controlled (e.g., id, org_id, orgc_id, user_id), enabling an authenticated att...

8.8CVSS5.2AI score0.00262EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 7:59 p.m.33 views

CVE-2026-54361 MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

8.8CVSS0.00262EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 7:59 p.m.8 views

CVE-2026-54361 MISP mass assignment vulnerabilities allow unauthorized modification of ownership and delegation records

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

8.8CVSS5.1AI score0.00262EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:59 p.m.9 views

EUVD-2026-36554

MISP contained multiple mass assignment vulnerabilities in the handling of collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should have remained server-controlled, including record identifiers and ownership-relat...

8.8CVSS5.2AI score0.00262EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 7:51 p.m.20 views

CVE-2026-54360

CVE-2026-54360 affects MISP: the mass assignment in the sharing group creation flow (SharingGroupsController::add) allows an authenticated user to submit an existing group’s id, causing a create() followed by save() to update that group. This could enable takeover or alteration of sharing groups ...

8.4CVSS5.4AI score0.00226EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/12 7:51 p.m.7 views

CVE-2026-54360 MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS5.3AI score0.00226EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:51 p.m.11 views

EUVD-2026-36552

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS5.4AI score0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 7:51 p.m.33 views

CVE-2026-54360 MISP sharing group creation mass assignment allows unauthorized takeover of existing sharing groups

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS0.00226EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.15 views

PT-2026-48973

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description Multiple mass assignment issues exist in the handling of collections, tag collections, event delegations, and shadow attributes. Certain controller actions accept user-supplied fields that shoul...

8.8CVSS5.3AI score0.00262EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.18 views

PT-2026-48972

A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...

8.4CVSS5.3AI score0.00226EPSS
Exploits0References2
NVD
NVD
added 2026/06/11 10:16 a.m.12 views

CVE-2026-53911

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit...

6.3CVSS0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/06/11 9:41 a.m.26 views

CVE-2026-53911

CVE-2026-53911 affects Cerebrate up to version 1.36, where the id primary key could be supplied via request input during CRUD edits and patching flows for several entity types (User, Role, UserSetting, LocalTool, PermissionLimitation, EnumerationCollection). An authenticated attacker could includ...

6.3CVSS5.5AI score0.00207EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/11 9:41 a.m.8 views

CVE-2026-53911 Cerebrate primary key mass assignment in CRUD edit operations allows authenticated users to overwrite unrelated records

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit...

6.3CVSS5.5AI score0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/11 9:41 a.m.9 views

EUVD-2026-36218

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit...

6.3CVSS5.5AI score0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/11 9:41 a.m.31 views

CVE-2026-53911 Cerebrate primary key mass assignment in CRUD edit operations allows authenticated users to overwrite unrelated records

Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit a crafted edit...

6.3CVSS0.00207EPSS
Exploits0References1
NVD
NVD
added 2026/06/11 9:16 a.m.15 views

CVE-2026-53901

Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add handler attempted to remove an attacker-supplied id from $params before normalizing the request through massageInput. Because the normalized $input could still contain an id field, a user...

8.7CVSS0.00312EPSS
Exploits0References1
Rows per page
Query Builder