Lucene search
K

3755 matches found

CVE
CVE
added last week10 views

CVE-2026-59709

Ghostfolio CVE-2026-59709 affects the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint. The root cause is a missing verification of Access.permissions when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with va...

5.3CVSS6AI score0.002EPSS
Exploits0References4
Cvelist
Cvelist
added last week35 views

CVE-2026-59709 Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS0.002EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-53926

Name of the Vulnerable Software and Affected Versions RuoYi-Vue-Plus versions prior to 5.6.3 Description The software exposes workflow task management endpoints under '/workflow/task' FlwTaskController without proper permission checks. Because the controller lacks class-level or method-level...

7.1CVSS6AI score0.00264EPSS
Exploits0References8
OSV
OSV
added 2026/06/29 11:50 a.m.5 views

PYSEC-2026-480 praisonai-platform: Any workspace member can add arbitrary user as owner via POST /workspaces/{id}/members

Summary Type: Privilege escalation / cross-tenant member injection. The POST /workspaces/workspaceid/members endpoint is gated only by requireworkspacememberworkspaceid default minrole="member" and forwards the request body's userid and role straight into MemberService.addworkspaceid, userid, rol...

9.6CVSS5.8AI score0.00031EPSS
Exploits0References5
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-481 praisonai-platform: Any workspace member can promote themselves or others to owner via PATCH /workspaces/{id}/members/{user_id}

Summary Type: Vertical privilege escalation. The PATCH /workspaces/workspaceid/members/userid endpoint is gated by requireworkspacememberworkspaceid, which defaults to minrole="member" and is never overridden by the route. The handler then calls MemberService.updateroleworkspaceid, userid,...

9.6CVSS5.8AI score0.00032EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/26 2:43 p.m.34 views

CVE-2026-45256 Missing permission check in thr_kill2(2)

When used to deliver a signal to a specific thread, thrkill22 called pcansignal to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to th...

0.00092EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 2:43 p.m.33 views

CVE-2026-45256

CVE-2026-45256 affects FreeBSD thr_kill2(2). The kernel failed to verify the result of p_cansignal() before delivering a signal, allowing unprivileged local users who know target PIDs to signal processes they normally could not, including root-owned ones. This can lead to stopping or terminating ...

5.5CVSS5.9AI score0.00092EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/24 8:39 p.m.9 views

CVE-2026-57285

A flaw was found in the Jenkins GitHub Branch Source Plugin. A missing permission check allows an attacker with Overall/Read permission to obtain the URLs of GitHub Enterprise servers. This information disclosure could expose sensitive configuration details of the Jenkins environment...

4.3CVSS5.8AI score0.00216EPSS
Exploits0References4
NVD
NVD
added 2026/06/24 2:17 p.m.10 views

CVE-2026-57300

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access...

4.3CVSS0.00178EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 2:17 p.m.9 views

CVE-2026-57307

A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b450b1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

4.2CVSS0.0014EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 2:17 p.m.8 views

CVE-2026-57304

A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password...

5.4CVSS0.00161EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 2:17 p.m.9 views

CVE-2026-57285

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration...

4.3CVSS0.00216EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 2:17 p.m.7 views

CVE-2026-57286

A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata...

4.3CVSS0.00216EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/24 1:20 p.m.4 views

CVE-2026-57307

A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b450b1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

4.2CVSS5.8AI score0.0014EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 1:20 p.m.32 views

CVE-2026-57304

A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password...

0.00161EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 1:20 p.m.17 views

CVE-2026-57304

CVE-2026-57304 affects the Jenkins Assembla Plugin (versions ≤ 1.4). The root cause is a missing permission check, allowing attackers who have Overall/Read permission to instruct the plugin to connect to an attacker-specified URL using attacker-specified credentials. The description in connected ...

5.4CVSS5.8AI score0.00161EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/24 1:20 p.m.8 views

EUVD-2026-38785

A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password...

5.4CVSS5.8AI score0.00161EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 1:20 p.m.7 views

EUVD-2026-38781

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access...

4.3CVSS5.9AI score0.00178EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 1:20 p.m.9 views

EUVD-2026-38778

A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key...

5.8AI score0.00167EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 1:20 p.m.10 views

CVE-2026-57297

CVE-2026-57297 affects Jenkins via the Contrast Continuous Application Security Plugin (3.11 and earlier). The issue is a missing permission check that lets attackers with Overall/Read access cause a connection to an attacker‑specified URL using attacker‑provided credentials (username, API key, s...

5.4CVSS5.8AI score0.00167EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder