CVE-2026-7106

The Highland Software Custom Role Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 1.0.0. This is due to insufficient authorization checks in the hscrmsaveuserroles function, which is hooked to the personaloptionsupdate action accessible by any...

CVE-2026-40041

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

CVE-2026-40041

CVE-2026-40041 affects Pachno 1.0.6 and describes a cross-site request forgery (CSRF) vulnerability arising from missing CSRF protections on state-changing endpoints. Attackers can craft requests that execute actions in an authenticated user context via attacker-controlled sites, targeting login,...

PT-2026-32495

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

CVE-2026-27591

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

CVE-2026-27591

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...

CVE-2020-36920 iDS6 DSSPro Digital Signage System 6.2 Privilege Escalation via Access Control

iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by...

CVE-2020-36920

CVE-2020-36920 affects iDS6 DSSPro Digital Signage System, version 6.2. The vulnerability is due to improper access control that enables authenticated users to escalate privileges via console JavaScript functions. Attackers can create users and modify roles/permissions, potentially taking full co...

PT-2026-1453

iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by...

Linux Distros Unpatched Vulnerability : CVE-2020-25699

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In moodle, insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course...

CVE-2023-29058

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions...

CVE-2021-4345

The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::saveroleapi method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to remove or add roles, and add capabilities...

CVE-2023-4822

Grafana is an open-source platform for monitoring and observability. The vulnerability impacts Grafana instances with several organizations, and allows a user with Organization Admin permissions in one organization to change the permissions associated with Organization Viewer, Organization Editor...

CVE-2023-29058

A valid, authenticated XCC user with read-only permissions can modify custom user roles on other user accounts and the user trespass message through the XCC CLI. There is no exposure if SSH is disabled or if there are no users assigned optional read-only permissions...

Lenovo XClarity Controller 安全漏洞

Lenovo XClarity Controller XCC is a server-embedded management engine from Lenovo China that is used to standardize and automate basic server management tasks. A security vulnerability exists in Lenovo XClarity Controller that originates from a valid XCC user with read-only privileges and...

CVE-2021-41311

Affected versions of Atlassian Jira Server and Data Center allow attackers with access to an administrator account that has had its access revoked to modify projects' Users & Roles settings, via a Broken Authentication vulnerability in the /plugins/servlet/project-config/PROJECT/roles endpoint. T...

CVE-2000-0725

CVE-2000-0725 affects Zope prior to 2.2.1. The vulnerability arises in the getRoles method, where access is insufficiently restricted, allowing a user who can edit DTML to modify the roles list included in a request and thereby add or modify roles. The issue is described across multiple connected...