46 matches found
CVE-2026-22683
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
EUVD-2026-19747
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683
CVE-2026-22683 affects Windmill versions 1.56.0–1.614.0, where missing authorization checks on the Operator role allow prohibited entity creation and modification via the backend API. Operators can create/update scripts, flows, apps, and raw_apps, and can execute scripts via the jobs API, enablin...
CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
PT-2026-30913
Name of the Vulnerable Software and Affected Versions Windmill versions 1.56.0 through 1.614.0 Description Windmill versions 1.56.0 through 1.614.0 have a missing authorization vulnerability. Users with the Operator role can perform prohibited entity creation and modification actions via the...
EUVD-2023-60547
HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative acce...
EUVD-2023-60544
HiSecOS web server contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this flaw to gain full administrative acce...
CVE-2023-7342 Belden HiSecOS Web Server Privilege Escalation
HiSecOS web server versions 03.4.00 prior to 04.1.00 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this fla...
CVE-2023-7342
HiSecOS web server versions 03.4.00 prior to 04.1.00 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to the administrator role by sending specially crafted packets to the web server. Attackers can exploit this fla...
CVE-2023-7342
HiSecOS web server has a privilege-escalation flaw that allows authenticated users with operator or auditor roles to elevate to administrator by sending specially crafted packets to the web server, potentially granting full administrative control of the device. The available documents provide det...
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
Summary A trusted-proxy Control UI pairing bypass accepted client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods. Impact With trusted-proxy authentication enabled, a...
GHSA-VVGP-4C28-M3JM OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
Summary A trusted-proxy Control UI pairing bypass accepted client.id=control-ui without device identity checks. The bypass did not require operator role, so an authenticated node role session could connect unpaired and reach node event methods. Impact With trusted-proxy authentication enabled, a...
CVE-2026-20098 Cisco Meeting Management Arbitrary File Upload Vulnerability
A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in...
CVE-2026-20098 Cisco Meeting Management Arbitrary File Upload Vulnerability
A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in...
CVE-2026-20098
Cisco Meeting Management is affected in the Certificate Management feature. The CVE-2026-20098 issue arises from improper input validation in the web-based management interface, allowing an authenticated remote attacker (with at least the video operator role) to upload arbitrary files, execute co...
Cisco Meeting Management Arbitrary File Upload Vulnerability
A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in...
EUVD-2018-0916
Malware in sbrugna...