Lucene search
K

33 matches found

EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40429

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...

8.8CVSS5.8AI score0.00303EPSS
Exploits0References3
NVD
NVD
added 2026/06/30 11:17 p.m.9 views

CVE-2026-56247

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...

8.8CVSS0.00303EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 10:8 p.m.19 views

CVE-2026-56333

Capgo before 12.128.2 is affected by a server-side validation bypass in organization security settings. The vulnerability lets authenticated org admins bypass backend validation by directly updating the public.orgs table from the browser, bypassing field-level checks such as max_apikey_expiration...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References2
CVE
CVE
added 2026/06/30 10:8 p.m.19 views

CVE-2026-56247

Capgo prior to version 12.128.2 contains a privilege-escalation flaw where org admins can assign org-scoped RBAC roles at the app scope without validating role-scope compatibility, including assignments to pending invitees . Attackers can pre-seed malformed high-privilege bindings that survive in...

8.8CVSS5.8AI score0.00303EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-54037

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Authenticated organization administrators can bypass server-side validation within organization security settings to persist an invalid security policy state. This is achieved by directly updating t...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References4
OSV
OSV
added 2026/05/28 6:8 p.m.7 views

GHSA-Q537-QHJ4-WCJX OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd

Summary An organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. Impact Full platform access, access to sensitive or proprietary information...

7.2CVSS5.8AI score0.00316EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/28 2:15 p.m.9 views

CVE-2026-44730

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL o...

7.2CVSS5.8AI score0.00316EPSS
Exploits0References1
CVE
CVE
added 2026/05/26 5:3 p.m.26 views

CVE-2026-44730

OpenCTI (open-source platform for threat intel) has a privilege-escalation vulnerability affecting the GraphQL API prior to version 6.9.7. An organization admin can elevate privileges by adding a user from a different organization with higher privileges to their own organization due to an incorre...

7.2CVSS5.8AI score0.00316EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/05/26 5:3 p.m.61 views

CVE-2026-44730 OpenCTI: Privilege escalation via graphQL API abusable by organization admins, due to incorrect ACL on userEdit relationAdd

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL o...

7.2CVSS0.00316EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/07 6:50 p.m.48 views

CVE-2026-43510 CISA manage.get.gov insecure portfolio administrative privileges

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30...

5.9CVSS0.00398EPSS
Exploits0References7
NVD
NVD
added 2026/04/07 3:17 p.m.5 views

CVE-2026-5373

An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N 8.1 High. This issue was fixed in version...

8.4CVSS0.00221EPSS
Exploits0References2
OSV
OSV
added 2025/10/08 9:30 p.m.5 views

GHSA-5M9M-J5P7-M7F9 Casdoor is vulnerable to Improper Authorization

An issue in the permission verification module and organization/application editing interface in Casdoor before 2.63.0 allows remote authenticated administrators of any organization within the system to bypass the system's permission verification mechanism by directly concatenating URLs after log...

7.2CVSS6.8AI score0.00613EPSS
Exploits0References6
OSV
OSV
added 2024/10/31 7:9 a.m.193 views

BIT-GRAFANA-2024-10452

Organization admins can delete pending invites created in an organization they are not part of...

2.7CVSS3.8AI score0.00496EPSS
Exploits0References8
SUSE CVE
SUSE CVE
added 2024/10/31 4:5 a.m.5 views

SUSE CVE-2024-10452

Organization admins can delete pending invites created in an organization they are not part of...

2.2CVSS7AI score0.00496EPSS
Exploits0References6
OSV
OSV
added 2024/10/29 6:30 p.m.210 views

GHSA-66C4-2G2V-54QW Grafana org admin can delete pending invites in different org

Organization admins can delete pending invites created in an organization they are not part of...

2.2CVSS3.8AI score0.00496EPSS
Exploits0References5
NVD
NVD
added 2024/10/29 4:15 p.m.15 views

CVE-2024-10452

Organization admins can delete pending invites created in an organization they are not part of...

2.7CVSS0.00496EPSS
Exploits0References1
OSV
OSV
added 2024/10/29 4:15 p.m.3 views

UBUNTU-CVE-2024-10452

Organization admins can delete pending invites created in an organization they are not part of...

2.7CVSS7.1AI score0.00496EPSS
Exploits0References3
Cvelist
Cvelist
added 2024/10/29 3:16 p.m.23 views

CVE-2024-10452

Organization admins can delete pending invites created in an organization they are not part of...

2.2CVSS0.00496EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/10/29 3:16 p.m.21 views

CVE-2024-10452

Organization admins can delete pending invites created in an organization they are not part of...

2.2CVSS7.2AI score0.00496EPSS
Exploits0References1
CVE
CVE
added 2024/10/29 3:16 p.m.384 views

CVE-2024-10452

CVE-2024-10452 affects Grafana (open‑source platform). The issue allows Organization administrators to delete pending invites in an organization they are not part of, representing an Authorization Bypass/Improper Access protection described in the connected advisories. Exploitation details are no...

2.7CVSS4AI score0.00496EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder