Lucene search
K

305 matches found

OSV
OSV
added 2026/04/16 4:44 p.m.5 views

SUSE-SU-2026:1420-1 Security update for NetworkManager

This update for NetworkManager fixes the following issues: - CVE-2025-9615: non-admin users are allowed to use certificates from other users bsc1257359...

3.3CVSS5.7AI score0.00162EPSS
Exploits0References3
NVD
NVD
added 2026/04/14 4:16 p.m.8 views

CVE-2026-38533

An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...

6.5CVSS0.00311EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/04/14 12:0 a.m.32 views

CVE-2026-38533

An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...

0.00311EPSS
Exploits2References2
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.7 views

Snipe-IT 安全漏洞

Snipe-IT is a set of open-source IT asset/license management systems developed by Grokability. Version Snipe-IT v8.4.0 contains a security vulnerability. This vulnerability stems from the improper authorization in the/api/v1/users/id endpoint, which may allow authenticated attackers with the...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References3
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.12 views

PT-2026-32686

Name of the Vulnerable Software and Affected Versions Snipe-IT version 8.4.0 Description Improper authorization in the '/api/v1/users/id' endpoint allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users by...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References6
CVE
CVE
added 2026/04/14 12:0 a.m.13 views

CVE-2026-38533

CVE-2026-38533 : In Snipe-IT v8.4.0, an improper authorization flaw in the /api/v1/users/{id} endpoint lets authenticated users with the users.edit permission modify sensitive authentication and account-state fields of other non-admin users via a crafted PUT request. Public details show the impac...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/13 7:41 p.m.3 views

CVE-2026-33657

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard non-administrative privileges to inject arbitrary HTML into system-generated email notifications by crafting...

4.6CVSS5.8AI score0.00176EPSS
Exploits2References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.6 views

PT-2026-32509

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard non-administrative privileges to inject arbitrary HTML into system-generated email notifications by crafting...

4.6CVSS5.8AI score0.00176EPSS
Exploits2References4
OSV
OSV
added 2026/04/10 7:49 p.m.2 views

GHSA-W8JJ-CWMC-WGQ2 Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

Summary The system log endpoints GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary...

4.3CVSS5.9AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/10 7:49 p.m.7 views

Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

Summary The system log endpoints GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary...

5.9AI score
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/04/10 4:3 p.m.8 views

EUVD-2026-21432

OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...

5.4CVSS5.9AI score0.00442EPSS
Exploits1References6
OSV
OSV
added 2026/04/10 12:48 p.m.6 views

SUSE-SU-2026:21121-1 Security update for NetworkManager

This update for NetworkManager fixes the following issues: - CVE-2025-9615: Fixed non-admin user using others' certificates bsc1257359...

3.3CVSS5.7AI score0.00162EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.9 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from the ability for non-administrator operators to self-request a broader scope during backend reconnection...

8.8CVSS5.8AI score0.00276EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/09 4:14 p.m.5 views

EUVD-2026-20954

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

2.3CVSS6AI score0.00208EPSS
Exploits1References3
Snyk
Snyk
added 2026/04/08 12:4 a.m.4 views

Incorrect Authorization

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Incorrect Authorization in the configuration for SSL certificate and key file paths due to incorrect option name checks. An attacker can gain unauthorized...

7.6CVSS5.9AI score0.00142EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/07 8:22 p.m.4 views

CVE-2026-39400

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS6AI score0.00171EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/07 8:22 p.m.4 views

CVE-2026-39400 Stored XSS via Job HTML/Table Output in Cronicle

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS5.9AI score0.00171EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/07 8:22 p.m.5 views

EUVD-2026-19923

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

5.3CVSS6AI score0.00171EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/04/07 5:32 p.m.1 views

CVE-2026-39328 ChurchCRM has Stored XSS in Social Profile Fields

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, an...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/07 5:32 p.m.1 views

CVE-2026-39328

ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in ChurchCRM's person profile editing functionality. Non-administrative users who have the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, an...

8.9CVSS5.9AI score0.00203EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder