Lucene search
K

30 matches found

EUVD
EUVD
added 2026/06/30 3:56 p.m.6 views

EUVD-2026-40356

RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/10 3:0 p.m.13 views

CVE-2026-47352

Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46,...

5.3CVSS5.5AI score0.00238EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/14 4:19 p.m.12 views

FlowiseAI: Vector Store No Permission Checks

FINDING 4: OpenAI Assistants Vector Store - No Auth on CRUD Operations Severity: HIGH CVSS 8.1 Type: CWE-306 Missing Authentication for Critical Function File: packages/server/src/routes/openai-assistants-vector-store/index.ts Description: ALL CRUD endpoints for OpenAI Assistants Vector Store hav...

8.8CVSS5.8AI score0.00327EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/14 10:27 p.m.7 views

Decidim's comments API allows access to all commentable resources

Impact The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration...

7.5CVSS5.9AI score0.00287EPSS
Exploits0References5Affected Software2
RubySec
RubySec
added 2026/04/14 12:0 a.m.11 views

Decidim's comments API allows access to all commentable resources

Impact The root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the /api endpoint. The /api endpoint is publicly available with the default configuration...

7.5CVSS5.8AI score0.00287EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/03/25 12:0 a.m.12 views

Apple macOS 安全漏洞

Apple macOS is a proprietary operating system developed by the American company Apple for Mac computers. Versions of Apple macOS prior to Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4 contain security vulnerabilities due to path handling issues. These vulnerabilities may cause applications to...

4CVSS5.8AI score0.0022EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/02 6:42 p.m.4 views

EUVD-2025-208204

In multiple locations, there is a possible way to delete media without the MANAGEEXTERNALSTORAGE permission due to an intent redirect. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

8.4CVSS6.1AI score0.00108EPSS
Exploits0References1
OSV
OSV
added 2026/01/13 12:15 p.m.6 views

CVE-2025-59022

Backend users who had access to the recycler module could delete arbitrary data from any database table defined in the TCA - regardless of whether they had permission to that particular table. This allowed attackers to purge and destroy critical site data, effectively rendering the website...

8.1CVSS6.8AI score
Exploits0References4
EUVD
EUVD
added 2025/12/17 9:30 a.m.8 views

EUVD-2025-203879

The component com.transsion.tranfacmode.entrance.main.MainActivity in com.transsion.tranfacmode has no permission control and can be accessed by third-party apps which can construct intents to directly open adb debugging functionality without user interaction...

6.5CVSS6.4AI score0.00169EPSS
Exploits0References3
Snyk
Snyk
added 2025/06/06 6:42 p.m.1 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the evaluation of multiple caveated branches in the schema. An attacker can receive a NOPERMISSION response when a HASPERMISSION response is expected by exploiting the incorrect handling of caveats in...

5.3CVSS7AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2025/06/06 6:42 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to the evaluation of multiple caveated branches in the schema. An attacker can receive a NOPERMISSION response when a HASPERMISSION response is expected by exploiting the incorrect handling of caveats in...

5.3CVSS7AI score0.00266EPSS
Exploits0References2
OSV
OSV
added 2024/09/25 5:43 p.m.37 views

GO-2024-3131 SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission in github.com/authzed/spicedb...

5.3CVSS4AI score0.0029EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/09/18 5:42 p.m.27 views

SpiceDB having multiple caveats on resources of the same type may improperly result in no permission

Background Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected For example, given this schema: definition user caveat somecaveatsomefield int somefield == 42 definition group relation member: user...

5.3CVSS6.7AI score0.0029EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2024/09/18 5:29 p.m.45 views

CVE-2024-46989 Multiple caveats on resources of the same type can result in no permission when permission is expected

spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resourc...

3.7CVSS0.0029EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/09/18 5:29 p.m.25 views

CVE-2024-46989 Multiple caveats on resources of the same type can result in no permission when permission is expected

spicedb is an Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications. Multiple caveats over the same indirect subject type on the same relation can result in no permission being returned when permission is expected. If the resourc...

3.7CVSS6.8AI score0.0029EPSS
Exploits0References2
OSV
OSV
added 2024/04/30 2:15 a.m.7 views

CVE-2024-4226

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed...

3.5CVSS5.8AI score0.00303EPSS
Exploits0References1
CNNVD
CNNVD
added 2023/12/11 12:0 a.m.4 views

Apple macOS Ventura Security Vulnerability

Apple macOS Ventura is a desktop operating system from Apple Inc. in the United States. A security vulnerability exists in Apple macOS Ventura version 13.6.3, which stems from an application that may be able to monitor keystrokes without user permission...

5.5CVSS4.6AI score0.00322EPSS
Exploits0References5
NVD
NVD
added 2023/10/30 5:15 p.m.17 views

CVE-2023-21345

In Game Manager Service, there is a possible way to determine whether an app is installed, without query permissions, due to side channel information disclosure. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

3.3CVSS3.5AI score0.00082EPSS
Exploits0References1
OSV
OSV
added 2023/03/16 9:15 p.m.2 views

CVE-2023-21457

Improper access control vulnerability in Bluetooth prior to SMR Mar-2023 Release 1 allows attackers to send file via Bluetooth without related permission...

8.1CVSS7.3AI score
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2022/08/12 3:15 p.m.6 views

CVE-2022-20335

In Wifi Slice, there is a possible way to adjust Wi-Fi settings even when the permission has been disabled due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:...

3.3CVSS5.8AI score0.00086EPSS
Exploits0References2
Rows per page
Query Builder