Lucene search
K

38 matches found

NVD
NVD
added 2 days ago4 views

CVE-2026-55077

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's passwor...

7.2CVSS0.00625EPSS
Exploits0References6
Cvelist
Cvelist
added 2 days ago28 views

CVE-2026-55077 Coder: User-admin role can reset owner account password

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's passwor...

7.2CVSS0.00625EPSS
Exploits0References6
CVE
CVE
added 2 days ago12 views

CVE-2026-55077

CVE-2026-55077 affects CodeR (github.com/coder/coder) prior to certain patched releases. The vulnerable endpoint is PUT /api/v2/users/{user}/password, which previously allowed a user-admin to reset an owner’s password because the permission set was limited to ActionUpdatePersonal and did not requ...

7.2CVSS6AI score0.00625EPSS
Exploits0References6Affected Software1
OSV
OSV
added 3 days ago3 views

GHSA-29XF-69GQ-M9JX Coder: User-admin role can reset owner account password

Summary The PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password. Note: Exploitation requires the privileg...

7.2CVSS6AI score0.00625EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 3 days ago7 views

Coder: User-admin role can reset owner account password

Summary The PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password. Note: Exploitation requires the privileg...

7.2CVSS6AI score0.00625EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-56067

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17 Description An issue exists where the PUT /api/v2/users/user/password endpoint only authorized the ActionUpdatePersona...

7.2CVSS6AI score0.00625EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.11 views

CVE-2026-32991

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

7.1CVSS5.5AI score0.00227EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/28 1:27 p.m.14 views

EUVD-2026-32901

A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3...

5.3CVSS5.8AI score0.00207EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.12 views

PT-2026-42521

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

6.9CVSS5.8AI score0.00224EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/14 12:31 a.m.12 views

EUVD-2026-30205

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

7.1CVSS5.8AI score0.00227EPSS
Exploits0References2
NVD
NVD
added 2026/05/13 11:16 p.m.14 views

CVE-2026-32991

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

7.1CVSS0.00227EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/13 10:7 p.m.8 views

CVE-2026-32991

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

7.1CVSS5.8AI score0.00227EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/13 10:7 p.m.47 views

CVE-2026-32991

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

7.1CVSS0.00227EPSS
Exploits0References1
CVE
CVE
added 2026/05/13 10:7 p.m.16 views

CVE-2026-32991

CVE-2026-32991 arises from improper authorization checks of team member privileges in cPanel & WHM, enabling a team member to escalate to the team owner account. The PT Security entries consolidate multiple CVEs and indicate a patch will be released May 13, 1:00 PM EST, addressing CVE-2026-32991 ...

7.1CVSS5.8AI score0.00227EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/13 10:7 p.m.14 views

CVE-2026-32991

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account...

7.1CVSS5.8AI score0.00227EPSS
Exploits0References2Affected Software3
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.11 views

cPanel 安全漏洞

cPanel is a web-based automated hosting platform developed by the cPanel company in the United States. This platform is primarily used for automating the management of websites and servers. cPanel has security vulnerabilities, which stem from improper permission authorization checks by team...

7.1CVSS5.8AI score0.00227EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/04/13 2:36 p.m.116 views

Exploit for CVE-2025-66849

CVE-2025-66849 Ghost CMS Privilege Escalation PoC Summar...

5.8AI score
Exploits1
Github Security Blog
Github Security Blog
added 2026/03/12 2:49 p.m.14 views

StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation

Summary The POST /studiocmsapi/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor doe...

7.2CVSS5.8AI score0.00344EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/12 2:49 p.m.3 views

GHSA-H7VR-CG25-JF8C StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation

Summary The POST /studiocmsapi/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor doe...

6.8CVSS5.9AI score0.00344EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/03/11 8:6 p.m.2 views

CVE-2026-32103 StudioCMS: IDOR — Admin-to-Owner Account Takeover via Password Reset Link Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocmsapi/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account...

6.8CVSS5.8AI score0.00344EPSS
Exploits1References1
Rows per page
Query Builder