Lucene search
K

24 matches found

NVD
NVD
added 2026/06/10 3:16 p.m.10 views

CVE-2026-53469

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

9.1CVSS0.00288EPSS
Exploits0References3
NVD
NVD
added 2026/06/10 3:16 p.m.12 views

CVE-2026-53471

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS0.00286EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/10 1:55 p.m.17 views

EUVD-2026-36034

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the /api/v1/sources/id/image-url endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance OVA images...

9.6CVSS5.5AI score0.0028EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/10 1:55 p.m.9 views

CVE-2026-53470 Migration-planner: getsourcedownloadurl missing organization check

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the /api/v1/sources/id/image-url endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance OVA images...

9.6CVSS5.3AI score0.0028EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/10 1:55 p.m.9 views

EUVD-2026-36031

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS5.5AI score0.00286EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/10 1:55 p.m.36 views

CVE-2026-53471 Migration-planner: agent api ignores jwt source_id claim

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS0.00286EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/10 1:55 p.m.33 views

CVE-2026-53474 Migration-planner: second-order sql injection via rvtools upload

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

9.6CVSS0.00298EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/10 1:55 p.m.9 views

EUVD-2026-36030

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

9.6CVSS5.8AI score0.00298EPSS
Exploits0References3
CVE
CVE
added 2026/06/10 1:55 p.m.23 views

CVE-2026-53474

Migration-planner is affected by a second-order SQL injection via uploads of RVTools .xlsx files. The flaw arises from improper input sanitization and causes malicious SQL embedded in a spreadsheet cell to execute when cluster names are processed, enabling arbitrary file reading on the host (pote...

9.6CVSS5.9AI score0.00298EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/10 1:55 p.m.8 views

CVE-2026-53474 Migration-planner: second-order sql injection via rvtools upload

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

9.6CVSS5.8AI score0.00298EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/10 1:55 p.m.7 views

CVE-2026-53469 Migration-planner: unprotected delete endpoint wipes all tenant data

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

9.1CVSS5.5AI score0.00288EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/10 1:55 p.m.37 views

CVE-2026-53469 Migration-planner: unprotected delete endpoint wipes all tenant data

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

9.1CVSS0.00288EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/10 1:55 p.m.8 views

CVE-2026-53473

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser...

7.3CVSS5.3AI score0.00187EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/10 1:55 p.m.9 views

CVE-2026-53474

A flaw was found in migration-planner. A remote authenticated attacker could exploit this vulnerability by uploading a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within a spreadsheet cell is executed when cluster names are processed. This SQL...

9.6CVSS5.8AI score0.00298EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/10 1:55 p.m.9 views

CVE-2026-53469

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

9.1CVSS5.5AI score0.00288EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/10 1:55 p.m.8 views

EUVD-2026-36028

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

9.1CVSS5.5AI score0.00288EPSS
Exploits0References3
CVE
CVE
added 2026/06/10 1:55 p.m.18 views

CVE-2026-53469

Migration-planner is affected. An authenticated user can issue a DELETE to /api/v1/sources that is not properly authorized/filtered, permitting destruction of all tenant data (sources, agents, assessments) and causing critical loss of availability and integrity across the SaaS platform. Affected ...

9.1CVSS5.5AI score0.00288EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/10 1:55 p.m.14 views

CVE-2026-53471

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS5.5AI score0.00286EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.11 views

PT-2026-48444

Name of the Vulnerable Software and Affected Versions migration-planner affected versions not specified Description An improper access control flaw exists in the '/api/v1/sources/id/image-url' endpoint. An authenticated attacker can bypass ownership checks to obtain presigned S3 URLs for Open...

9.6CVSS5.9AI score0.0028EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/10 12:0 a.m.16 views

PT-2026-48443

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

9.1CVSS5.5AI score0.00288EPSS
Exploits0References4
Rows per page
Query Builder