108 matches found
CVE-2026-38530
A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...
Webkul Krayin CRM 安全漏洞
Webkul Krayin CRM is a free and open-source CRM solution for small and medium-sized businesses from the Indian company Webkul. Version 2.2.x of Webkul Krayin CRM contains a security vulnerability. This vulnerability stems from an object-level authorization flaw in the...
CVE-2026-38530
CVE-2026-38530 describes a Broken Object-Level Authorization (BOLA) in the Webkul Krayin CRM v2.2.x, specifically in the /Controllers/Lead/LeadController.php endpoint. The authenticated user can read, modify, and permanently delete any lead owned by other users by sending a crafted GET request. T...
CVE-2026-38529
CVE-2026-38529 describes a Broken Object-Level Authorization (BOLA) in the Webkul Krayin CRM v2.2.x product. The vulnerability is located in the /Settings/UserController.php endpoint and allows authenticated attackers to arbitrarily reset user passwords and achieve full account takeover by sendin...
CVE-2026-38532
Webkul Krayin CRM v2.2.x is affected by a Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint. The vulnerability enables an authenticated user to read, modify, or permanently delete contact records owned by other users by sending a crafted GET request. T...
CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization
Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...
Vikunja read-only users can delete project background images via broken object-level authorization
The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image...
CVE-2026-31832
Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by...
CVE-2026-31832 Umbraco Backoffice API Allows Unauthorized Modification of Domain Data
Umbraco is an ASP.NET CMS. From 14.0.0 to before 16.5.1 and 17.2.2, A broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks. The issue is caused by...
Everyone Knows About Broken Authorization – So Why Does It Still Work for Attackers?
Broken authorization is one of the most widely known API vulnerabilities. It features in the OWASP Top 10, AppSec conversations, and secure coding guidelines. Broken Object Level Authorization BOLA and Broken Function Level Authorization BFLA account for hundreds of API vulnerabilities every...
CVE-2026-25810 PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization ownership checks...
CVE-2026-25810 PlaciPy is Missing Object-Level Authorization in student.submission.routes.ts
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization ownership checks...
CVE-2026-25810
PlaciPy (educational placement system) has a vulnerability in version 1.0.0 where backend/src/routes/student.submission.routes.ts authenticates users but does not enforce object-level authorization (ownership checks). This could allow authenticated users to access or act on submissions that they ...
CVE-2026-25876 PlaciPy is Missing Authorization on Assessment Results Endpoint
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...
CVE-2026-25876 PlaciPy is Missing Authorization on Assessment Results Endpoint
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...
PT-2026-7162
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...
PlaciPy 安全漏洞
PlaciPy is an open-source employment management system developed by Praskla Technology. It aims to simplify the employment processes for students, trainers, and administrators in educational institutions. Version 1.0.0 of PlaciPy contains a security vulnerability. This vulnerability stems from th...
PlaciPy 安全漏洞
PlaciPy is an open-source employment management system developed by Praskla Technology. It aims to simplify the employment processes for students, trainers, and managers in educational institutions. Version 1.0.0 of PlaciPy contains a security vulnerability. This vulnerability stems from the...
CVE-2026-0598
The connected PT-2026-6676 entry confirms a vulnerability in the Ansible Lightspeed API conversation endpoints used for AI chat interactions. Affected component: the conversation endpoints within Ansible Lightspeed API. Root cause:broken object-level authorization that fails to verify that the co...
Broken Object Level Authorization (BOLA)
studiocms is vulnerable to a Broken Object Level Authorization BOLA vulnerability. The vulnerability is due to missing authorization checks in the Content Management feature, which allows a user with the “Visitor” role to access draft content created by Editor, Admin, or Owner users...