Lucene search
K

32 matches found

Cvelist
Cvelist
added last week33 views

CVE-2026-55668 File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...

6.3CVSS0.00269EPSS
Exploits0References3
OSV
OSV
added last week4 views

CVE-2026-55668 File Browser: ScopedFs follows a dangling symlink on write, letting a scoped user create files outside their scope

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...

6.3CVSS6.1AI score0.00269EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/24 11:53 a.m.9 views

EUVD-2026-38750

Cap-go before 12.128.2 contains an authorization bypass vulnerability in the GET /organization/members endpoint that allows org-limited API keys to bypass limitedtoorgs restrictions. Attackers with org-limited API keys can read membership data including uid, email, imageurl, role, and istmp from...

5.3CVSS5.9AI score0.00182EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 11:55 p.m.10 views

GO-2026-5055 File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope in github.com/filebrowser/filebrowser

File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope in github.com/filebrowser/filebrowser...

7.5CVSS5.3AI score0.0046EPSS
Exploits0References3
CVE
CVE
added 2026/06/12 6:30 a.m.29 views

CVE-2026-12059

CVE-2026-12059 concerns the SSH service of Cellopoint’s CelloOS. The vulnerability is described as Improper Access Control that lets authenticated remote attackers bypass enforced command restrictions and execute operating system commands outside the originally authorized scope. Connected CVE rec...

8.8CVSS5.5AI score0.0045EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/11 2:30 p.m.12 views

EUVD-2026-36248

The crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints, allowing TLS clients to accept certificates whose Subject Alternative Names fall outside the issuing CA’s permitted subtrees. This oversight enables an attacker who compromises a name-constrained sub-CA to...

9.1CVSS5.4AI score0.00223EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/09 7:24 p.m.38 views

CVE-2026-47910 Dreamweaver Desktop | Incorrect Authorization (CWE-863)

Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issu...

6.3CVSS0.00137EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/05/14 5:35 a.m.11 views

CVE-2026-3160

Removed by vendor...

5.8CVSS5.8AI score0.00224EPSS
Exploits0
EUVD
EUVD
added 2026/05/12 9:31 p.m.14 views

EUVD-2026-29742

Substance3D - Designer versions 15.1.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories...

6.3CVSS5.9AI score0.00177EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/05 3:31 p.m.10 views

EUVD-2026-27331

An issue that could allow a dashboard configuration to be viewed from outside of the authorized organization scope has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0, Medium. This...

5CVSS5.7AI score0.00168EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/07 3:30 p.m.7 views

EUVD-2026-19694

An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N 5.8 Medium. This issue was fix...

5.8CVSS5.8AI score0.00191EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/07 3:30 p.m.7 views

EUVD-2026-19635

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. Th...

5.8CVSS5.8AI score0.00208EPSS
Exploits0References3
NVD
NVD
added 2026/04/07 3:17 p.m.4 views

CVE-2026-5384

An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. This...

5.8CVSS0.00208EPSS
Exploits0References2
NVD
NVD
added 2026/04/07 3:17 p.m.7 views

CVE-2026-5374

An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. Th...

5.8CVSS0.00208EPSS
Exploits0References2
CVE
CVE
added 2026/04/07 2:12 p.m.12 views

CVE-2026-5383

Summary: CVE-2026-5383 affects runZero Explorer, described as an incorrect authorization (CWE-863) that could allow access to Explorer groups from outside the authorized organization scope. It is scored CVSSv3.1: AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4, Medium) and has been fixed in runZero Expl...

4.4CVSS5.8AI score0.00179EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.9 views

PT-2026-30874

Name of the Vulnerable Software and Affected Versions runZero Platform versions prior to 4.0.260203.0 Description A flaw allowed MCP agents to access certificate information beyond their authorized organizational boundaries. This is categorized as CWE-863: Incorrect Authorization. Recommendations...

3CVSS5.8AI score0.00118EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/07 12:0 a.m.7 views

PT-2026-30879

An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. This...

5.8CVSS5.8AI score0.00208EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:3 p.m.6 views

CVE-2026-32097

PingPong is a platform for using large language models LLMs for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files, including user-uploade...

8.8CVSS5.8AI score0.00288EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/23 12:0 a.m.12 views

PT-2026-21528

Name of the Vulnerable Software and Affected Versions versions prior to 2026 Description An improper access control issue allows authenticated users to access areas outside of their authorized scope. Recommendations At the moment, there is no information about a newer version that contains a fix...

7.1CVSS5.2AI score0.00209EPSS
Exploits0References4
Packet Storm
Packet Storm
added 2026/02/05 12:0 a.m.342 views

📄 Node.js 25.x Permission Model Sandbox Bypass / Path Traversal

This Metasploit module validates a sandbox escape weakness in the Node.js permission model that allows restricted file access bypass through symlink-based path traversal. When Node.js is executed with the --permission flag and limited filesystem read/write paths, the permission checks rely on...

9.1CVSS7.8AI score0.01633EPSS
Exploits2
Rows per page
Query Builder