Lucene search
K

84 matches found

EUVD
EUVD
added 4 days ago6 views

EUVD-2026-41004

A flaw was found in Foreman. An authenticated user with host-edit permissions could exploit a cross-tenant information disclosure vulnerability. This flaw occurs because the taxonomyscope controller method does not properly validate organization and location IDs from nested request parameters,...

4.3CVSS5.8AI score0.00247EPSS
Exploits0References4
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-40141

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS5.8AI score0.00177EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 11:53 a.m.8 views

CVE-2026-56257

Capgo (CVE-2026-56257) before 12.128.2 allows an authorization bypass via PostgREST that patches public.apps.owner_org directly, bypassing the transfer_app() workflow and causing split-brain ownership. An attacker can update apps.owner_org while leaving app_versions.owner_org unchanged, allowing ...

7.1CVSS5.9AI score0.00182EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/20 12:14 a.m.31 views

CVE-2026-56216 Capgo - Scope Escalation via API Key Creation in /functions/v1/apikey

Capgo before 12.128.2 contains a scope escalation vulnerability in the POST /functions/v1/apikey endpoint that allows app-limited API keys to mint unrestricted keys by setting empty limits. Attackers with a compromised app-limited key can create an unrestricted key with org-wide access to resourc...

8.8CVSS0.00251EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.16 views

PT-2026-50135

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An issue exists in the token public-only scope enforcement where a public-only scoped API token can access private organization data. This occurs due to two flaws: the endpoint '/user/orgs' is...

4.3CVSS5.8AI score0.00271EPSS
Exploits0References8
NVD
NVD
added 2026/06/04 2:16 p.m.11 views

CVE-2026-10854

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially...

5.3CVSS0.00176EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/04 1:5 p.m.10 views

CVE-2026-10855

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the...

5.1CVSS5.8AI score0.00154EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/02 10:2 p.m.11 views

CVE-2026-45632

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId...

9.9CVSS6AI score0.00256EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 4:40 p.m.34 views

CVE-2026-43917 Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId validation

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's...

5.3CVSS0.00225EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/28 6:8 p.m.25 views

OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd

Summary An organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. Impact Full platform access, access to sensitive or proprietary information...

7.2CVSS5.8AI score0.00316EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/14 7:58 p.m.11 views

CVE-2026-44204

Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user any role to execute arbitrary SQL and read data from any table in the database, including data belonging to...

6.5CVSS6.2AI score0.00228EPSS
Exploits0References1
NVD
NVD
added 2026/05/11 11:20 p.m.16 views

CVE-2026-43912

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groupsusers.usersorganizationsuuid entry belongs to the same organization as groups.groupsuuid, or a collectionsgroups.collectionsuuid entry belongs to the same organization as...

8.7CVSS0.00289EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/11 9:56 p.m.10 views

EUVD-2026-29340

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groupsusers.usersorganizationsuuid entry belongs to the same organization as groups.groupsuuid, or a collectionsgroups.collectionsuuid entry belongs to the same organization as...

8.7CVSS5.9AI score0.00289EPSS
Exploits1References1
AlpineLinux
AlpineLinux
added 2026/05/11 9:56 p.m.11 views

CVE-2026-43912

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groupsusers.usersorganizationsuuid entry belongs to the same organization as groups.groupsuuid, or a collectionsgroups.collectionsuuid entry belongs to the same organization as...

8.7CVSS5.9AI score0.00289EPSS
Exploits1References1
NVD
NVD
added 2026/05/11 6:16 p.m.21 views

CVE-2026-43638

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, which causes the server-side permission check to be...

5.4CVSS0.00188EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/05/11 5:13 p.m.41 views

CVE-2026-43638 Bitwarden Server < 2026.4.1 Missing Authorization via Organization Cipher Import

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, which causes the server-side permission check to be...

5.4CVSS0.00188EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/05/11 5:13 p.m.14 views

CVE-2026-43638 Bitwarden Server < 2026.4.1 Missing Authorization via Organization Cipher Import

Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, which causes the server-side permission check to be...

5.4CVSS5.9AI score0.00188EPSS
Exploits1References5
CVE
CVE
added 2026/05/11 5:13 p.m.39 views

CVE-2026-43638

Bitwarden Server before 2026.4.1 contains a missing authorization vulnerability that lets any authenticated user write ciphers into an arbitrary organization via POST /ciphers/import-organization by submitting an empty collections array, bypassing the server-side permission check. Affected produc...

5.4CVSS5.9AI score0.00188EPSS
Exploits1References5Affected Software1
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.9 views

bitwarden 安全漏洞

Bitwarden is an open-source password management backend service developed by Bitwarden. Versions of Bitwarden prior to 2026.4.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization checks, allowing any authenticated user to write passwords to any...

5.4CVSS5.8AI score0.00188EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/06 6:30 p.m.9 views

Velocidex Velociraptor has an Incorrect Authorization issue

Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...

6.8CVSS5.7AI score0.00236EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder