15 matches found
PT-2026-52574
Name of the Vulnerable Software and Affected Versions Bitwarden Server versions prior to 2026.5.0 Description An issue exists where authenticated Custom users with the ManageUsers permission can escalate privileges to remove Admin accounts from an organization. This occurs due to a missing role...
EUVD-2026-38463
NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the handleApprovalsResponse function that fails to verify responder role authorization. Attackers with a valid questionId can approve or reject privileged actions like package installation by submitting approval response...
CVE-2026-45549
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction app/routes/smon/agentroutes.py:166-179 has decorators @bp.post'/agent/action/' and @jwtrequired only — no role check, no group ownership check on the serverip form...
PT-2026-45063
Summary Type: Authorization bypass enabling owner lockout. The DELETE /workspaces/workspace id/members/user id endpoint is gated only by require workspace memberworkspace id default min role="member". Any member can remove any other member, including the workspace owner, using a single DELETE...
CVE-2026-46425
Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM checks the Enterprise feature flag and SCIM config and doInScimContext sets the SCIM request context. There is no role check...
Budibase 安全漏洞
Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.38.2 contained security vulnerabilities. These vulnerabilities stemmed from a lack of...
CVE-2026-42185 People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation
People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user including users with no current domain access to the...
CVE-2026-42185 People: Privilege Escalation via Missing Role Ceiling in Mail Domain Invitation
People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user including users with no current domain access to the...
EUVD-2009-0010
Malware in sbrugna...
CVE-2025-6685
ATEN eco DC contains a missing authorization flaw in its web-based interface that can enable privilege escalation. The issue arises from not validating the assigned user role when handling requests, allowing an attacker with network access to escalate privileges to restricted resources; authentic...
WordPress plugin Opal Estate Pro 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...
CVE-2024-24966
When LDAP remote authentication is configured on F5OS, a remote user without an assigned role will be incorrectly authorized. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...
Couchbase Server 授权问题漏洞
Couchbase Server is a distributed, open source NoSQL non-relational database from Couchbase, Inc. that supports data querying, full-text searching, and active global replication. A security vulnerability exists in versions of Couchbase Server prior to 7.0.4, which stems from a lack of role checki...
CVE-2022-31022 Missing Role Based Access Control for the REST handlers in bleve/http package
Bleve is a text indexing library for go. Bleve includes HTTP utilities under bleve/http package, that are used by its sample application. These HTTP methods pave way for exploitation of a node’s filesystem where the bleve index resides, if the user has used bleve’s own HTTP bleve/http handlers fo...
Sourcecodester Baby Care System SQL注入漏洞
Sourcecodester Baby Care System is an application of the Sourcecodester community in the United States. Sourcecodester Baby Care System v1.0 contains a SQL injection vulnerability that originates in /admin/siteoptions.php & action=displaygoal & value=1 & roleid= where the roleid parameter is...