136 matches found
FatPipe WARP/IPVPN/MPVPN - Authorization Bypass
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain a missing authorization caused by lack of access control in the web management interface, letting remote attackers access sensitive URLs, exploit requires no authentication. id: CVE-2021-27858 info: name:...
CVE-2026-59704 Cap - Missing Access Control in Video AI Metadata Endpoint
Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generatio...
CVE-2026-59704 Cap - Missing Access Control in Video AI Metadata Endpoint
Cap's GET /api/video/ai endpoint fails to validate user ownership or membership before returning private video AI metadata including titles, summaries, and chapters. Authenticated attackers can supply arbitrary video IDs to read sensitive AI-generated content and trigger unauthorized AI generatio...
š ICagenda 3.9.14 / 4.0.7 Shell Upload
iCagenda, a popular events and calendar component for Joomla, contains an unauthenticated file upload vulnerability that allows remote attackers to upload and execute arbitrary PHP code on Joomla 6 sites. Versions 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7 are affected.:1 CVE-2026-48939 -...
CVE-2026-44957
The CVE-2026-44957 vulnerability affects Revive Adserver 6.0.6 and earlier, where a missing access control check in the XML-RPC API modify methods allowed entities to be reassigned to different parent entities, causing inconsistent ownership. The issue is exploitable only in combination with CVE-...
EUVD-2026-38502
A missing access control check when invoking various modify methods in the XMLāRPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with...
CVE-2026-20259 Improper Access Control in Splunk Enterprise
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability editsavedsearchowner could reassign sav...
PT-2026-48499
šØ CVE-2026-20259 In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability edit saved search owne...
CVE-2026-46721
The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...
š Authentic 8 User Profile Insecure Direct Object Reference
Proof of concept exploit that demonstrates user data exposure via an insecure direct object reference and missing access control vulnerabilities in the User Profile endpoint of Authentic 8...
PT-2026-30821
Name of the Vulnerable Software and Affected Versions MLflow versions prior to 3.10.1 Description An authorization bypass exists in the AJAX endpoint used to download saved model artifacts. Due to missing access-control validation, a user without permissions to a specific experiment can directly...
GHSA-26GM-93RW-CCHF Open WebUI has unauthorized deletion of knowledge files
Summary An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin, but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from...
EUVD-2025-209079
HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data...
CVE-2025-55261
HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data...
CVE-2025-55261
HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data...
PT-2026-28286
Name of the Vulnerable Software and Affected Versions HCL Aftermarket DPC affected versions not specified Description The application suffers from missing functional level access control, potentially allowing an attacker to escalate privileges and compromise the application. This could lead to th...
OpenEMR å®å Øę¼ę“
OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Versions of OpenEMR prior to 8.0.0.3 contained security...
EUVD-2025-209029
IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control...
CVE-2025-36440
IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control...
CVE-2025-36440 Multiple Vulnerabilities in IBM Concert Software
IBM Concert 1.0.0 through 2.2.0 could allow a local user to obtain sensitive information due to missing function level access control...