CVE-2026-3160

Removed by vendor...

EUVD-2026-29742

Substance3D - Designer versions 15.1.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories...

EUVD-2026-27331

An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0, Medium. This...

EUVD-2026-19694

An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N 5.8 Medium. This issue was fix...

EUVD-2026-19635

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. Th...

CVE-2026-5384

An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. This...

CVE-2026-5374

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. Th...

CVE-2026-5383

Summary: CVE-2026-5383 affects runZero Explorer, described as an incorrect authorization (CWE-863) that could allow access to Explorer groups from outside the authorized organization scope. It is scored CVSSv3.1: AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4, Medium) and has been fixed in runZero Expl...

PT-2026-30879

An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. This...

PT-2026-30874

Name of the Vulnerable Software and Affected Versions runZero Platform versions prior to 4.0.260203.0 Description A flaw allowed MCP agents to access certificate information beyond their authorized organizational boundaries. This is categorized as CWE-863: Incorrect Authorization. Recommendations...

CVE-2026-32097

PingPong is a platform for using large language models LLMs for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploade...

PT-2026-21528

Name of the Vulnerable Software and Affected Versions versions prior to 2026 Description An improper access control issue allows authenticated users to access areas outside of their authorized scope. Recommendations At the moment, there is no information about a newer version that contains a fix...

📄 Node.js 25.x Permission Model Sandbox Bypass / Path Traversal

This Metasploit module validates a sandbox escape weakness in the Node.js permission model that allows restricted file access bypass through symlink-based path traversal. When Node.js is executed with the --permission flag and limited filesystem read/write paths, the permission checks rely on...

CVE-2026-1201

An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation...

CVE-2025-70985

Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope...

PT-2025-41272

Name of the Vulnerable Software and Affected Versions Tenable Security Center versions prior to 6.7.0 Description An improper access control issue exists where an authenticated user can access areas outside of their authorized scope. This could lead to potential data exposure. Recommendations...

CVE-2025-27217

A Server-Side Request Forgery SSRF in the UISP Application may allow a malicious actor with certain permissions to make requests outside of UISP Application scope...

CVE-2025-27217

The CVE-2025-27217 entry concerns a Server-Side Request Forgery (SSRF) in the UISP Application. Affected software: UISP Application. Vulnerability: SSRF allowing a user with certain permissions to make requests outside the UISP scope. Root cause: SSF vulnerability within the UISP Application; imp...

PT-2025-34176 · Ubiquiti · Uisp Application

Name of the Vulnerable Software and Affected Versions: UISP Application affected versions not specified Description: A Server-Side Request Forgery SSRF exists in the UISP Application. This issue may allow a malicious actor with certain permissions to make requests outside of the application’s...

PT-2024-3241 · Cyberpower · Cyberpower Powerpanel

Name of the Vulnerable Software and Affected Versions: CyberPower PowerPanel affected versions not specified Description: The issue is related to the processing of relative paths in the PowerPanel system, which can be exploited by importing a specially crafted Zip file containing path traversal...