CVE-2026-47125

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.2, the PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin...

CVE-2026-44850

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer offers an environment-level Disable bind mounts for...

Movable Type 安全漏洞

Movable Type is a content management system developed by Movable Type Inc. There is a security vulnerability in Movable Type, which stems from a lack of authorization verification. This vulnerability may allow users without administrator privileges to log in and perform unexpected updates...

PT-2026-33731

Name of the Vulnerable Software and Affected Versions SKYSEA Client View affected versions not specified SKYMEC IT Manager affected versions not specified Description Improper file access permission settings in the installation folder allow a non-administrative user to manipulate or place arbitra...

CVE-2026-32680

The issue concerns RATOC RAID Monitoring Manager for Windows. If users customize the installer’s target folder, that folder may retain insecure ACLs, allowing non-administrative users to alter its contents. This can enable a non-administrative user to execute arbitrary code with SYSTEM privileges...

phpMyFAQ security vulnerabilities

phpMyFAQ is a multilingual, database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ 4.0.16 and earlier contain security vulnerabilities. These vulnerabilities stem from authorization logic flaws, which may allow non-administrative users to trigger configuration backups and...

CVE-2026-23875

CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base...

CVE-2025-58097

The installation directory of LogStare Collector is configured with incorrect access permissions. A non-administrative user may manipulate files within the installation directory and execute arbitrary code with the administrative privilege...

CVE-2025-6990

The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the THPhpCode pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated...

CVE-2024-45509

In MISP through 2.4.196, app/Controller/BookmarksController.php does not properly restrict access to bookmarks data in the case where the user is not an org admin...

CVE-2024-43435 Moodle: can create global glossary without being admin

A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary...

CVE-2024-43435

CVE-2024-43435 describes a Moodle vulnerability where, due to insufficient capability checks, users who can restore glossaries in courses can inadvertently restore them into the global site glossary. The issue centers on authorization logic for glossary restoration, enabling an unintended elevati...

CVE-2024-43435 Moodle: can create global glossary without being admin

A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary...

Chamilo LMS 安全漏洞

Chamilo LMS is an open source online learning and collaboration system from the Chamilo Association. The system supports the creation of instructional content, distance training, and online question and answer sessions. A security vulnerability exists in Chamilo LMS version 1.11.26, which stems...

PT-2024-31669 · Misp · Misp

Name of the Vulnerable Software and Affected Versions: MISP versions 2.4.196 and earlier Description: The issue concerns improper access restriction to bookmarks data in MISP when the user is not an org admin, specifically within the app/Controller/BookmarksController.php file. Recommendations: F...

CVE-2023-49978

Incorrect access control in Customer Support System v1 allows non-administrator users to access administrative pages and execute actions reserved for administrators...

PT-2024-20539 · Galette · Galette

Name of the Vulnerable Software and Affected Versions: Galette versions 1.0.0 through 1.0.1 Description: Galette is a membership management web application for non-profit organizations. By default, public pages are restricted to only administrators and staff members in versions prior to 1.0.2...

CVE-2024-24573

facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileManager/ajax/processPost.php. It was found that non-admins can...

Design/Logic Flaw

facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileManager/ajax/processPost.php. It was found that non-admins can...

CVE-2024-24573 facileManager Privilege Escalation via Mass Assignment

facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileManager/ajax/processPost.php. It was found that non-admins can...