CVE-2026-31800 Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API rout...

CVE-2026-21721

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

CVE-2025-59021

Backend users with access to the redirects module and write permission on the sysredirect table were able to read, create, and modify any redirect record without restriction to the user’s own file-mounts or web-mounts. This allowed attackers to insert or alter redirects pointing to arbitrary URLs...

PT-2025-54257

Name of the Vulnerable Software and Affected Versions Akuvox Smart Intercom S539 affected versions not specified Description The Akuvox Smart Intercom S539 has an issue with access control. Users with 'User' privileges can modify API access settings and configurations. This can allow attackers to...

CVE-2021-47722 Zucchetti Axess CLOKI Access Control 1.64 Cross-Site Request Forgery

Zucchetti Axess CLOKI Access Control 1.64 contains a cross-site request forgery vulnerability that allows attackers to manipulate access control settings without user interaction. Attackers can craft malicious web pages with hidden forms to disable or modify access control parameters by tricking...

PT-2025-48661

Name of the Vulnerable Software and Affected Versions Sprecher Automations SPRECON-E-C Sprecher Automations SPRECON-E-P Sprecher Automations SPRECON-E-T3 Description The software is susceptible to unauthorized remote access due to the use of default cryptographic keys. An attacker can leverage...

CVE-2023-7322

Nagios Log Server versions prior to 2024R1 contain an incorrect authorization vulnerability. Users who lacked the required API permission were nevertheless able to invoke API endpoints, resulting in unintended access to data and actions exposed via the API. This incorrect authorization check coul...

BIT-NIFI-2022-33140 Improper Neutralization of Command Elements in Shell User Group Provider

The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 and Apache NiFi Registry 0.6.0 to 1.16.2 does not neutralize arguments for group resolution commands, allowing injection of operating system commands on Linux and macOS platforms. The ShellUserGroupProvider is not included in the...

PT-2024-18191 · Git +1 · Lunary +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue allows an attacker to join an organization without permission by knowing the organization's ID, granting them the ability to read and modify a...

PT-2024-2825 · Unknown · Netcat Cms

Name of the Vulnerable Software and Affected Versions: Netcat CMS affected versions not specified Description: The issue is related to a cross-site request forgery. Exploitation of this issue may allow a remote attacker to modify access rights in the file manager. Recommendations: At the moment,...

CVE-2022-21338

Vulnerability in the Oracle Communications Convergence product of Oracle Communications Applications component: General Framework. The supported version that is affected is 3.0.2.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

CVE-2021-25956

In “Dolibarr” application, v3.3.beta120121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since t...

CVE-2021-25956

In “Dolibarr” application, v3.3.beta120121221 to v13.0.2 have “Modify” access for admin level users to change other user’s details but fails to validate already existing “Login” name, while renaming the user “Login”. This leads to complete account takeover of the victim user. This happens since t...

IBM Security Guardium Data Encryption 访问控制错误漏洞

IBM Security Guardium Data Encryption GDE provides a modular set of encryption solutions that help security teams effectively implement data-at-rest security across the organization. An improper privilege control vulnerability exists in IBM Security Guardium Data Encryption 3.0.0.2. An attacker...

Oracle Financial Services Applications Financial Services Liquidity Risk Management Unauthorized Access Vulnerability

Financial Services Applications Financial Services Liquidity Risk Management is an Oracle Financial Services Applications Component: User Interface Oracle Financial Services Liquidity Risk Management product from Oracle Corporation. Oracle Financial Services Applications Financial Services...

CVE-2019-2756

Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware subcomponent: Outside In Filters. The supported version that is affected is 8.5.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In...

CVE-2018-10722

In Cylance CylancePROTECT before 1470, an unprivileged local user can obtain SYSTEM privileges because users have Modify access to the %PROGRAMFILES%\Cylance\Desktop\log folder, the CyUpdate process grants users Modify access to new files created in this folder, and a new file can be a symlink...

Input validation

Perspective ICM Investigation & Case 5.1.1.16 allows remote authenticated users to modify access level permissions and consequently gain privileges by leveraging insufficient validation methods and missing cross server side checking mechanisms...

UBUNTU-CVE-2015-2172

DokuWiki before 2014-05-05d and before 2014-09-29c does not properly check permissions for the ACL plugins, which allows remote authenticated users to gain privileges and add or delete ACL rules via a request to the XMLRPC API...

UBUNTU-CVE-2012-6102

lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments aka feedback comments of arbitrary users via a crafted URI...