Lucene search
K

117 matches found

Snyk
Snyk
added 2026/07/02 8:3 p.m.4 views

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization in the actionMoveFolder process. An attacker can remove destination folders and their contents without having delete permissions on the destination by initiating a force...

7.1CVSS6AI score0.00207EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 5:17 p.m.9 views

CVE-2026-50282

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function...

7.1CVSS0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/02 4:15 p.m.35 views

CVE-2026-50282 Craft CMS: Unauthorized Deletion of Destination Folders During Forced Moves

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function...

7.1CVSS0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/02 4:15 p.m.7 views

EUVD-2026-41416

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function...

7.1CVSS5.7AI score0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/07/02 4:15 p.m.29 views

CVE-2026-50282

Craft CMS contains an authorization issue in AssetsController::actionMoveFolder where calling with force=true to move a folder into a destination with a conflicting name can overwrite and delete the destination folder without destination delete permission. Affected versions are 5.0.0-RC1 and abov...

7.1CVSS5.7AI score0.00207EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/07/02 12:0 a.m.8 views

Linux Distros Unpatched Vulnerability : CVE-2026-53328

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - schedext: Don't warn on NULL cgrpmovingfrom in scxcgroupmovetask A WARN fires when systemd's user manager writes +cpu +memory +pids to its own subtreecontrol...

6AI score0.00168EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.15 views

TYPO3 CMS 安全漏洞

TYPO3 CMS is a content management system developed under the TYPO3 open source framework. There is a security vulnerability in TYPO3 CMS, which stems from unauthorized backend users having access to write operations on the root directory of active files. This can lead to unauthorized moves,...

7.2CVSS5.4AI score0.00238EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.12 views

CVE-2026-40300

Zulip is an open-source team collaboration tool. Prior to 12.0, With messageedithistoryvisibilitypolicy set to "moves", /api/v1/messages/id/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This...

6.5CVSS5.5AI score0.00247EPSS
Exploits1References1
CVE
CVE
added 2026/05/28 6:32 p.m.36 views

CVE-2026-45042

RustFS is a distributed object storage system in Rust. Prior to 1.0.0-beta.2, the UploadPartCopy operation could copy objects across buckets without enforcing destination bucket policy on the source, because the implementation separately validates GetObject on the source and PutObject on the dest...

7.1CVSS5.8AI score0.00207EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/27 5:17 p.m.12 views

Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling

Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...

6AI score0.00141EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/14 3:36 p.m.8 views

CVE-2026-42590

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix...

8.2CVSS5.9AI score0.0029EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/05/12 5:16 p.m.13 views

CVE-2026-40300

Zulip is an open-source team collaboration tool. Prior to 12.0, With messageedithistoryvisibilitypolicy set to "moves", /api/v1/messages/id/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This...

6.5CVSS0.00247EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/12 4:33 p.m.37 views

CVE-2026-40300 Zulip: Message edit history visible in "moves only" policy through /api/v1/messages/{id}/history

Zulip is an open-source team collaboration tool. Prior to 12.0, With messageedithistoryvisibilitypolicy set to "moves", /api/v1/messages/id/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This...

6CVSS0.00247EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/12 4:33 p.m.7 views

CVE-2026-40300 Zulip: Message edit history visible in "moves only" policy through /api/v1/messages/{id}/history

Zulip is an open-source team collaboration tool. Prior to 12.0, With messageedithistoryvisibilitypolicy set to "moves", /api/v1/messages/id/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This...

6CVSS5.8AI score0.00247EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/12 4:33 p.m.6 views

CVE-2026-40300

Zulip is an open-source team collaboration tool. Prior to 12.0, With messageedithistoryvisibilitypolicy set to "moves", /api/v1/messages/id/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This...

6CVSS5.8AI score0.00247EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/12 4:33 p.m.17 views

CVE-2026-40300

Summary of vulnerability (CVE-2026-40300) Affected software: Zulip open-source team collaboration tool (prior to version 12.0). Root cause: When message_edit_history_visibility_policy is set to the value "moves", the endpoint /api/v1/messages/{id}/history continues to return historical content va...

6.5CVSS5.8AI score0.00247EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/05/12 4:33 p.m.13 views

EUVD-2026-29537

Zulip is an open-source team collaboration tool. Prior to 12.0, With messageedithistoryvisibilitypolicy set to "moves", /api/v1/messages/id/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This...

6CVSS5.8AI score0.00247EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.16 views

PT-2026-40100

Zulip is an open-source team collaboration tool. Prior to 12.0, With message edit history visibility policy set to "moves", /api/v1/messages/id/history still returns historical content values, allowing low-privilege users to recover text that was edited away from other users' messages. This...

6CVSS5.8AI score0.00247EPSS
Exploits1References2
RedHat Linux
RedHat Linux
added 2026/05/11 6:39 p.m.10 views

golang: cmd/compile: no-op interface conversion bypasses overlap checking

A flaw was found in the cmd/compile package in the Go standard library. A no-op interface conversion prevented the compiler from correctly identifying non-overlapping memory moves. As a result, the compiler allows unsafe memory move operations to occur at runtime, potentially causing data...

7.1CVSS5.8AI score0.00261EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/05/06 8:46 p.m.32 views

CVE-2026-40281 Gotenberg vulnerable to argument injection via newlines in ExifTool metadata values

Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but leaves metadata values unsanitized. A newline character in a metadata value splits the ExifTool stdin line into two separate...

10CVSS0.00611EPSS
Exploits1References2
Rows per page
Query Builder