Lucene search
+L

1249 matches found

euvd
euvd
added 2 days ago4 views

EUVD-2026-44687

Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, Cloudreve's remote download workflow accepts user-supplied URLs at POST /api/v4/workflow/download and passes them to the configured downloader without blocking loopback, localhost, IPv6 localhost, or...

6.5CVSS6.2AI score0.00231EPSS
Exploits0References3
nvd
nvd
added 4 days ago2 views

CVE-2026-58410

ChurchCRM is an open-source church management system. Prior to version 7.4.0, there was an authorization flaw in the family-scoped endpoints which allowed low-privileged users to read and modify other families’ records. An authenticated non-admin user with EditSelf access can supply another...

7.1CVSS0.00174EPSS
Exploits0References1
snyk
snyk
added last week4 views

Incorrect Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization in the BulkUsersController::destroy process. An attacker can gain unauthorized ability to soft-delete other non-admin users by sending a direct POST...

7.1CVSS6.1AI score0.00285EPSS
Exploits1References2
nvd
nvd
added last week4 views

CVE-2026-55460

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with deleteuser=1 because BulkUsersController::destroy authorizes only update, allowing the user to...

7.1CVSS0.00285EPSS
Exploits1References3
cve
cve
added last week6 views

CVE-2026-55460

CVE-2026-55460 affects Snipe-IT (IT asset/license management system). Before version 8.6.2, an authenticated non-admin user who had rights users.view and users.edit but not users.delete could directly POST to /users/bulksave with delete_user=1 because BulkUsersController::destroy() authorized onl...

7.1CVSS6.1AI score0.00285EPSS
Exploits1References3Affected Software1
cvelist
cvelist
added last week32 views

CVE-2026-55460 Snipe-IT: Authorization bypass on bulk editing users

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated non-admin user with users.view and users.edit but without users.delete can directly POST to /users/bulksave with deleteuser=1 because BulkUsersController::destroy authorizes only update, allowing the user to...

7.1CVSS0.00285EPSS
Exploits1References3
ptsecurity
ptsecurity
added 2026/07/10 12:0 a.m.5 views

PT-2026-57264

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.6.2 Description An authenticated non-admin user possessing users.view and users.edit permissions, but lacking users.delete permissions, can perform a soft-delete of another non-admin user. This occurs because the...

7.1CVSS6.1AI score0.00285EPSS
Exploits1References9
nvd
nvd
added 2026/07/09 5:17 p.m.9 views

CVE-2026-59227

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to...

5.4CVSS0.00259EPSS
Exploits1References4
attackerkb
attackerkb
added 2026/07/09 5:12 p.m.11 views

CVE-2026-59225

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...

5.4CVSS6AI score0.00211EPSS
Exploits0References5Affected Software1
osv
osv
added 2026/07/09 5:12 p.m.4 views

CVE-2026-59225 Open WebUI: Arena task endpoints can bypass underlying model access controls

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...

5.4CVSS6.1AI score0.00211EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/07/09 3:56 p.m.7 views

CVE-2026-59227

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to...

4.3CVSS6AI score0.00259EPSS
Exploits1References5Affected Software1
cve
cve
added 2026/07/09 3:56 p.m.9 views

CVE-2026-59227

Vulnerability summary: CVE-2026-59227 affects Open WebUI prior to 0.10.0. Affected endpoint: POST /api/v1/images/edit. The issue allowed a non-admin user with a verified account to bypass the global image-edit switch and per-user image-generation permissions, enabling server-side image editing wi...

5.4CVSS6AI score0.00259EPSS
Exploits1References4Affected Software1
osv
osv
added 2026/07/09 3:56 p.m.3 views

CVE-2026-59227 Open WebUI: POST /api/v1/images/edit bypasses the global image-edit switch and the per-user image-generation permission

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to...

4.3CVSS6.1AI score0.00259EPSS
Exploits1References6
ptsecurity
ptsecurity
added 2026/07/09 12:0 a.m.7 views

PT-2026-56888

Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.8.12 through 0.9.x Description An authenticated non-admin user with read access to an arena wrapper model can access a restricted underlying model. This occurs because task endpoints, such as...

6.3CVSS6.2AI score0.00211EPSS
Exploits0References9
osv
osv
added 2026/07/07 8:56 p.m.6 views

CVE-2026-46700 Actual: Missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS6AI score0.00342EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/07/07 8:56 p.m.6 views

CVE-2026-46700

Actual is a local-first personal finance tool. Prior to 26.6.0, the GET /secret/:name endpoint in @actual-app/sync-server checks only that the caller has a valid session and does not verify the caller is an admin, while the sibling POST /secret/ handler enforces an admin check in OpenID mode. Any...

4.3CVSS6AI score0.00342EPSS
Exploits0References5Affected Software1
attackerkb
attackerkb
added 2026/07/06 9:8 p.m.3 views

CVE-2026-34050

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially...

6.5CVSS5.9AI score0.00213EPSS
Exploits0References4Affected Software1
cve
cve
added 2026/07/06 9:8 p.m.15 views

CVE-2026-34050

CVE-2026-34050 affects Coolify, specifically the Settings/Updates Livewire component. The root cause is a missing isInstanceAdmin check in the component's mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update check...

6.5CVSS5.9AI score0.00213EPSS
Exploits0References3
osv
osv
added 2026/07/06 9:8 p.m.4 views

CVE-2026-34050 Coolify Settings/Updates Livewire component missing instance administrator authorization

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially...

6.5CVSS5.9AI score0.00213EPSS
Exploits0References5
cve
cve
added 2026/06/30 3:52 p.m.21 views

CVE-2026-58168

Vulnerability overview: DeepTutor prior to v1.4.10 contains an authorization bypass in which the allowed_mcp_tools function returns None instead of denying access when mcp_tools is omitted from a user’s grant in deeptutor/multi_user/tool_access.py. This enables low-privilege users, including thos...

8.8CVSS5.8AI score0.00412EPSS
Exploits0References4
Rows per page
Query Builder