Lucene search
K

8 matches found

CVE
CVE
added 2026/07/07 8:53 p.m.10 views

CVE-2026-50007

The CVE affects the open-source personal finance app “Actual.” Before version 26.7.0, a missing authorization flaw allows a non-owner shared user (with user_access on a budget file) to perform file-management actions that should be owner- or admin-only. Specifically, endpoints such as /delete-use...

7.2CVSS5.9AI score0.00246EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:53 p.m.8 views

CVE-2026-50007

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with useraccess on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users...

7.2CVSS5.9AI score0.00246EPSS
Exploits0References6Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/11 4:46 p.m.6 views

CVE-2026-44991

OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands...

4.2CVSS5.9AI score0.00237EPSS
Exploits0References5
CVE
CVE
added 2026/03/06 9:10 p.m.16 views

CVE-2026-30231

CVE-2026-30231 affects Flare, a Next.js-based self-hosted file sharing platform. Before version 1.7.2, raw and direct file routes failed to block authenticated non-owners who know a private file URL, enabling access that should be restricted. The issue is a private-file IDOR via raw/direct endpoi...

6CVSS5.7AI score0.00283EPSS
Exploits1References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/03/06 9:10 p.m.3 views

CVE-2026-30231

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the...

6CVSS5.7AI score0.00283EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.11 views

PT-2026-23756

Name of the Vulnerable Software and Affected Versions Flare versions prior to 1.7.2 Description Flare, a Next.js-based file sharing platform, had a flaw where authenticated, non-owner users could access private files if they knew the file URL. This occurred because the raw and direct file routes...

6CVSS5.8AI score0.00283EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2026/01/20 12:0 a.m.6 views

MiracleLinux 8 : postgresql:15 (AXSA:2024-7569:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-7569:01 advisory. postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL CVE-2024-0985 Tenable has extracted the preceding description block...

8CVSS6AI score0.01465EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 2024/03/13 1:54 p.m.2 views

postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL

A flaw was found in PostgreSQL. A late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL can allow an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling a safe refre...

8CVSS7.5AI score0.01465EPSS
Exploits0References4
Rows per page
Query Builder