Lucene search
K

39 matches found

Nuclei
Nuclei
added 3 days ago112 views

Github Enterprise Authenticated Remote Code Execution

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the...

9.8CVSS7.8AI score0.71725EPSS
Exploits1References5
NVD
NVD
added last week6 views

CVE-2026-52800

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be add...

8.8CVSS0.00248EPSS
Exploits0References4
Cvelist
Cvelist
added last week20 views

CVE-2026-52800 Gogs: CSRF Leading to Organization Owner Takeover

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be add...

8.8CVSS0.00248EPSS
Exploits0References4
CVE
CVE
added last week14 views

CVE-2026-52800

CVE-2026-52800 (Gogs) : In Gogs 0.14.1 and earlier, organization team management endpoints were reachable via GET requests with CSRF protection disabled for GET, enabling state-changing actions like adding a user to the Owners team without proper CSRF checks. If the victim is an organization owne...

8.8CVSS5.9AI score0.00248EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/23 6:7 p.m.33 views

CVE-2026-54322 Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the targe...

7.7CVSS0.00186EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/23 6:7 p.m.7 views

EUVD-2026-38563

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the targe...

7.7CVSS6.3AI score0.00186EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 6:7 p.m.11 views

CVE-2026-54322

The CVE-2026-54322 issue affects Daytona prior to 0.185.0, where organization role update/delete endpoints granted access based on the caller’s ownership of an org but validated the target role only by its identifier, not by org ownership. This cross-org IDOR lets an authenticated user who owns a...

7.7CVSS6.3AI score0.00186EPSS
Exploits0References1
OSV
OSV
added 2026/06/23 12:2 a.m.1 views

GHSA-PWX3-QCGW-VH7H Gogs Vulnerable to CSRF Leading to Organization Owner Takeover

Summary In Gogs 0.14.1, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/23 12:2 a.m.10 views

Gogs Vulnerable to CSRF Leading to Organization Owner Takeover

Summary In Gogs 0.14.1, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/12 12:42 p.m.13 views

CVE-2026-43913

A flaw was found in Vaultwarden, a Bitwarden-compatible server. An authenticated user, who has been invited as an organization owner and accepted the invitation but has not yet been confirmed by an existing owner, can exploit this vulnerability. By calling a specific API endpoint, this user can...

8.1CVSS5.7AI score0.00267EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/11 10:1 p.m.39 views

CVE-2026-43913 Vaultwarden: Unconfirmed Owner Can Purge Entire Organization Vault

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, an...

8.1CVSS0.00267EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/11 10:1 p.m.9 views

EUVD-2026-29341

Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The organization invite flow uses a two-step process: accepting an invite transitions membership from Invited to Accepted, an...

8.1CVSS5.8AI score0.00267EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.13 views

PT-2026-39863

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.5 Description Vaultwarden allows an unconfirmed organization owner to purge the entire organization vault. The issue exists because the 'POST /api/ciphers/purge' endpoint verifies that a user has the Owner...

8.1CVSS5.8AI score0.00267EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2020-28857

Malware in sbrugna...

8.1CVSS6.5AI score0.01032EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/02/05 9:56 a.m.15 views

CVE-2024-3504

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in versi...

8.1CVSS6.6AI score0.00494EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/02/04 11:2 p.m.13 views

CVE-2024-0200

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the...

9.8CVSS7.9AI score0.71725EPSS
Exploits1References1
CNVD
CNVD
added 2024/06/11 12:0 a.m.1 views

Lunary Improper Access Control Vulnerability

lunary is lunary open source a production toolkit for LLM . An improper access control vulnerability exists in lunary, which can be exploited by an attacker to update any organization user as the organization owner...

8.1CVSS6.9AI score0.00494EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2024/06/06 5:53 p.m.12 views

CVE-2024-3504 Improper Access Control in lunary-ai/lunary

An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in versi...

8.1CVSS6.7AI score0.00494EPSS
Exploits1References2
CVE
CVE
added 2024/06/06 5:53 p.m.49 views

CVE-2024-3504

CVE-2024-3504 affects lunary-ai/lunary up to version 1.2.2. The root cause is improper access control that allows an admin to elevate any organization user to the owner role, enabling the elevated user to delete projects within the organization. The issue is mitigated by upgrading to version 1.2....

8.1CVSS7.1AI score0.00494EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2024/03/21 12:0 a.m.13 views

CVE-2024-29866

Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges...

7.2AI score0.0069EPSS
Exploits0References2
Rows per page
Query Builder