Lucene search
K

108 matches found

Vulnrichment
Vulnrichment
added 2026/04/14 12:0 a.m.2 views

CVE-2026-38530

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References2
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.9 views

Webkul Krayin CRM 安全漏洞

Webkul Krayin CRM is a free and open-source CRM solution for small and medium-sized businesses from the Indian company Webkul. Version 2.2.x of Webkul Krayin CRM contains a security vulnerability. This vulnerability stems from an object-level authorization flaw in the...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References2
CVE
CVE
added 2026/04/14 12:0 a.m.15 views

CVE-2026-38530

CVE-2026-38530 describes a Broken Object-Level Authorization (BOLA) in the Webkul Krayin CRM v2.2.x, specifically in the /Controllers/Lead/LeadController.php endpoint. The authenticated user can read, modify, and permanently delete any lead owned by other users by sending a crafted GET request. T...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References2Affected Software1
CVE
CVE
added 2026/04/14 12:0 a.m.21 views

CVE-2026-38529

CVE-2026-38529 describes a Broken Object-Level Authorization (BOLA) in the Webkul Krayin CRM v2.2.x product. The vulnerability is located in the /Settings/UserController.php endpoint and allows authenticated attackers to arbitrarily reset user passwords and achieve full account takeover by sendin...

8.8CVSS5.8AI score0.00624EPSS
Exploits2References2Affected Software1
CVE
CVE
added 2026/04/14 12:0 a.m.10 views

CVE-2026-38532

Webkul Krayin CRM v2.2.x is affected by a Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint. The vulnerability enables an authenticated user to read, modify, or permanently delete contact records owned by other users by sending a crafted GET request. T...

8.1CVSS5.8AI score0.00351EPSS
Exploits2References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/20 2:42 p.m.2 views

CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...

5.3CVSS5.8AI score0.00211EPSS
Exploits1References2
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/20 12:0 a.m.7 views

Vikunja read-only users can delete project background images via broken object-level authorization

The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image...

5.4CVSS5.8AI score0.00211EPSS
Exploits1References5Affected Software1
NVD
NVD
added 2026/03/10 10:16 p.m.7 views

CVE-2026-31832

Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by...

5.4CVSS0.00179EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/10 9:49 p.m.3 views

CVE-2026-31832 Umbraco Backoffice API Allows Unauthorized Modification of Domain Data

Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by...

5.4CVSS5.8AI score0.00179EPSS
Exploits0References1
Wallarm Lab
Wallarm Lab
added 2026/03/02 1:0 p.m.7 views

Everyone Knows About Broken Authorization – So Why Does It Still Work for Attackers?

Broken authorization is one of the most widely known API vulnerabilities. It features in the OWASP Top 10, AppSec conversations, and secure coding guidelines. Broken Object Level Authorization BOLA and Broken Function Level Authorization BFLA account for hundreds of API vulnerabilities every...

6AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/02/09 8:48 p.m.3 views

CVE-2026-25810 PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization ownership checks...

5.3CVSS5.5AI score0.00246EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/09 8:48 p.m.33 views

CVE-2026-25810 PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization ownership checks...

5.3CVSS0.00246EPSS
Exploits0References1
CVE
CVE
added 2026/02/09 8:48 p.m.21 views

CVE-2026-25810

PlaciPy (educational placement system) has a vulnerability in version 1.0.0 where backend/src/routes/student.submission.routes.ts authenticates users but does not enforce object-level authorization (ownership checks). This could allow authenticated users to access or act on submissions that they ...

9.1CVSS5.5AI score0.00246EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/09 8:48 p.m.5 views

CVE-2026-25876 PlaciPy is Missing Authorization on Assessment Results Endpoint

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...

5.3CVSS5.5AI score0.00246EPSS
Exploits0References1
OSV
OSV
added 2026/02/09 8:48 p.m.4 views

CVE-2026-25876 PlaciPy is Missing Authorization on Assessment Results Endpoint

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...

5.3CVSS5.5AI score0.00246EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/09 12:0 a.m.6 views

PT-2026-7162

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...

5.3CVSS5.5AI score0.00246EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/02/09 12:0 a.m.11 views

PlaciPy 安全漏洞

PlaciPy is an open-source employment management system developed by Praskla Technology. It aims to simplify the employment processes for students, trainers, and administrators in educational institutions. Version 1.0.0 of PlaciPy contains a security vulnerability. This vulnerability stems from th...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/02/09 12:0 a.m.8 views

PlaciPy 安全漏洞

PlaciPy is an open-source employment management system developed by Praskla Technology. It aims to simplify the employment processes for students, trainers, and managers in educational institutions. Version 1.0.0 of PlaciPy contains a security vulnerability. This vulnerability stems from the...

9.1CVSS5.8AI score0.00246EPSS
Exploits0References1
CVE
CVE
added 2026/02/06 5:47 a.m.42 views

CVE-2026-0598

The connected PT-2026-6676 entry confirms a vulnerability in the Ansible Lightspeed API conversation endpoints used for AI chat interactions. Affected component: the conversation endpoints within Ansible Lightspeed API. Root cause:broken object-level authorization that fails to verify that the co...

4.2CVSS5.3AI score0.00222EPSS
Exploits0References3
Veracode
Veracode
added 2026/02/05 8:54 a.m.5 views

Broken Object Level Authorization (BOLA)

studiocms is vulnerable to a Broken Object Level Authorization BOLA vulnerability. The vulnerability is due to missing authorization checks in the Content Management feature, which allows a user with the “Visitor” role to access draft content created by Editor, Admin, or Owner users...

6.5CVSS5.5AI score0.00295EPSS
Exploits2References4Affected Software1
Rows per page
Query Builder