FatPipe WARP/IPVPN/MPVPN - Authorization Bypass

FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain a missing authorization caused by lack of access control in the web management interface, letting remote attackers access sensitive URLs, exploit requires no authentication. id: CVE-2021-27858 info: name:...

CVE-2026-20259 Improper Access Control in Splunk Enterprise

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability editsavedsearchowner could reassign sav...

PT-2026-48499

🚨 CVE-2026-20259 In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability edit saved search owne...

CVE-2026-46721

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...

📄 Authentic 8 User Profile Insecure Direct Object Reference

Proof of concept exploit that demonstrates user data exposure via an insecure direct object reference and missing access control vulnerabilities in the User Profile endpoint of Authentic 8...

PT-2026-30821

Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.10.1 Description An authorization bypass exists in the AJAX endpoint used to download saved model artifacts. Due to missing access-control validation, a user without permissions to a specific experiment can directly...

GHSA-26GM-93RW-CCHF Open WebUI has unauthorized deletion of knowledge files

Summary An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin, but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from...

EUVD-2025-209079

HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data...

CVE-2025-55261

HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data...

CVE-2025-55261

HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data...

OpenEMR 安全漏洞

OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Versions of OpenEMR prior to 8.0.0.3 contained security...

PT-2026-28286

Name of the Vulnerable Software and Affected Versions HCL Aftermarket DPC affected versions not specified Description The application suffers from missing functional level access control, potentially allowing an attacker to escalate privileges and compromise the application. This could lead to th...

EUVD-2025-209029

IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control...

CVE-2025-36440

IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control...

CVE-2025-36440

CVE-2025-36440 affects IBM Concert versions 1.0.0 through 2.2.0. The vulnerability arises from missing function-level access control, enabling a local user to obtain sensitive information. The NVD entry and CVE records corroborate the vendor-reported impact and scope. The provided metrics indicat...

CVE-2025-36440 Multiple Vulnerabilities in IBM Concert Software

IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control...

CVE-2025-36440 Multiple Vulnerabilities in IBM Concert Software

IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control...

PT-2026-28116

IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control...

Information Disclosure

Glances is vulnerable to Information Disclosure. The vulnerability is due to missing access control and filtering in the /api/4/config endpoint, which returns the full configuration including sensitive data such as passwords, API tokens, and cryptographic keys...

CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...