61 matches found
EUVD-2026-38116
Capgo before 12.128.2 fails to enforce a maximum value on the minimum password length field in its password policy configuration. An authenticated organization administrator can set an extremely large numeric value e.g., billions of characters as the minimum password length, making compliance...
CVE-2026-54358
An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own...
CVE-2026-54357
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership...
CVE-2026-54358 MISP organization administrators can target site administrator accounts for password reset
An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own...
EUVD-2026-36550
An incorrect authorization vulnerability in MISP allows an organization administrator to target site administrator accounts belonging to the same organization through the administrative email functionality. The affected code restricted organization administrators to users within their own...
CVE-2026-54357 MISP improper authorization allows organization administrators to modify site administrator user settings
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership...
EUVD-2026-36549
An improper authorization vulnerability in MISP allowed an authenticated organization administrator to access or modify user settings belonging to site administrator accounts within the same organization. The affected access-control checks scoped administrative actions by organization membership...
PT-2026-48970
Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An incorrect authorization issue allows an organization administrator to target site administrator accounts within the same organization using the administrative email functionality. The system...
PT-2026-48966
Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An improper authorization issue allows an authenticated organization administrator to access or modify user settings of site administrator accounts within the same organization. This occurs...
EUVD-2026-31345
LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...
CVE-2026-44380
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...
CVE-2026-44380 MISP: Improper access control in auth key reset allows privilege escalation to site administrator
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...
EUVD-2026-30167
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...
PT-2026-40808
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...
CVE-2026-42300
CVE-2026-42300 affects DevGuard’s SessionMiddleware and related components prior to version 1.2.2. The vulnerability arises because a client-supplied header, X-Admin-Token , is accepted and its raw value is used as the authenticated userID when no Kratos session cookie is present. An attacker who...
GHSA-2G9V-7MR5-FGJG DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header
Impact The SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests a...
EUVD-2026-20517
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An...
CVE-2026-32591
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An...
CVE-2026-32591
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An...
CVE-2026-32591 Mirror-registry: quay: server-side request forgery in proxy cache upstream registry configuration
A flaw was found in Red Hat Quay's Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An...