Lucene search
K

35 matches found

CVE
CVE
added 5 days ago11 views

CVE-2026-55659

Grist has a cross-site scripting (XSS) vulnerability (CVE-2026-55659) in server-rendered pages caused by embedding user-controlled values into the page and inline scripts without proper escaping. The issue affects pages where a document’s name/description is rendered and where the OAuth2 end-of-f...

7.7CVSS5.8AI score0.00275EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-55659 Grist: XSS through unsafe value interpolation in server-rendered pages

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's nam...

7.7CVSS0.00275EPSS
Exploits0References3
CVE
CVE
added 2026/07/07 8:53 p.m.10 views

CVE-2026-50007

The CVE affects the open-source personal finance app “Actual.” Before version 26.7.0, a missing authorization flaw allows a non-owner shared user (with user_access on a budget file) to perform file-management actions that should be owner- or admin-only. Specifically, endpoints such as /delete-use...

7.2CVSS5.9AI score0.00246EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/07/07 8:53 p.m.8 views

CVE-2026-50007

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with useraccess on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users...

7.2CVSS5.9AI score0.00246EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/07/06 8:53 p.m.5 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the PUT /api/v2/users/user/password endpoint. An attacker can gain unauthorized access to owner-level accounts by resetting their passwords without knowing the current password, allowing privilege escalation a...

8.6CVSS6AI score0.00615EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 8:20 p.m.5 views

CVE-2026-52804

Gogs is an open source self-hosted Git service. Prior to 0.14.3, a repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. This vulnerability is fixed in 0.14.3...

7CVSS5.9AI score0.00499EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/06/23 4:52 p.m.6 views

GHSA-4565-R4X7-HG8J Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation

Summary A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. Vulnerable Code In internal/database/repocollaboration.go, line 129: go func r Repository ChangeCollaborationAccessModeuserI...

7CVSS5.9AI score0.00499EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/11 4:46 p.m.6 views

CVE-2026-44991

OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFrom settings. Attackers can exploit this by sending commands...

4.2CVSS5.9AI score0.00237EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.11 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. The version of OpenClaw from 2026.4.7 to 2026.4.14 contains security vulnerabilities. These vulnerabilities stem from a logic that downgrades the heartbeat owner, causing it to skip Webhook wake-up events carrying...

9.8CVSS5.9AI score0.00423EPSS
Exploits0References1
NVD
NVD
added 2026/03/29 1:16 p.m.7 views

CVE-2026-32914

OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /debug command handlers that allows command-authorized non-owners to access owner-only surfaces. Attackers with command authorization can read or modify privileged configuration settings restricted ...

8.8CVSS0.00251EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/13 8:55 p.m.6 views

OpenClaw: Command-authorized non-owners could reach owner-only `/config` and `/debug` surfaces

Summary OpenClaw documented /config and /debug as owner-only commands, but the command handlers checked only whether the sender was command-authorized. A lower-trust sender who was intentionally allowed to run commands could still reach privileged configuration and debugging surfaces. Impact This...

5.9AI score
Exploits0References5Affected Software1
GithubExploit
GithubExploit
added 2026/03/11 12:53 a.m.197 views

Exploit for CVE-2026-30944

🔓 CVE-2026-30944 StudioCMS Privilege Escalation via Insecure...

8.8CVSS5.8AI score0.00564EPSS
Exploits3
CVE
CVE
added 2026/03/06 9:10 p.m.15 views

CVE-2026-30231

CVE-2026-30231 affects Flare, a Next.js-based self-hosted file sharing platform. Before version 1.7.2, raw and direct file routes failed to block authenticated non-owners who know a private file URL, enabling access that should be restricted. The issue is a private-file IDOR via raw/direct endpoi...

6CVSS5.7AI score0.00283EPSS
Exploits1References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/03/06 9:10 p.m.3 views

CVE-2026-30231

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to version 1.7.2, the raw and direct file routes only block unauthenticated users from accessing private files. Any authenticated, non‑owner user who knows the file URL can retrieve the...

6CVSS5.7AI score0.00283EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.9 views

PT-2026-23756

Name of the Vulnerable Software and Affected Versions Flare versions prior to 1.7.2 Description Flare, a Next.js-based file sharing platform, had a flaw where authenticated, non-owner users could access private files if they knew the file URL. This occurred because the raw and direct file routes...

6CVSS5.8AI score0.00283EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.8 views

PT-2026-23108

Name of the Vulnerable Software and Affected Versions Drupal File Access Fix deprecated versions prior to 1.2.0 Description The File Access Fix module deprecated has an authorization issue that allows for forceful browsing. The module manages file access, moving files between public and private...

5.8AI score0.00187EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/01/20 12:0 a.m.6 views

MiracleLinux 8 : postgresql:15 (AXSA:2024-7569:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2024-7569:01 advisory. postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL CVE-2024-0985 Tenable has extracted the preceding description block...

8CVSS6AI score0.01465EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2018-5656

Malware in sbrugna...

7.5CVSS7.6AI score0.01094EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.6 views

EUVD-2018-5663

Malware in sbrugna...

7.5CVSS7.6AI score0.01071EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.13 views

EUVD-2025-27268

Malicious code in bioql PyPI...

8.6CVSS6.3AI score0.00392EPSS
Exploits0References4
Rows per page
Query Builder