13 matches found
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the monitor API endpoints, which lack proper ownership enforcement. An attacker can read, modify, rename, or permanently delete another user's messages, sessions, build artifacts, and...
CVE-2026-7047
The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funpajaxmodifynotes function. This makes it possible for unauthenticated attackers to trick a logged-in...
CVE-2026-40214
In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...
CVE-2026-10855
An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the...
OpenStack Cyborg 安全漏洞
OpenStack Cyborg is an open-source acceleration resource management and scheduling service component of OpenStack. Versions of OpenStack Cyborg prior to 16.0.1 contained security vulnerabilities. These vulnerabilities stemmed from the fact that the accelerator request API did not enforce project...
CVE-2026-41910
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model...
PT-2026-27197
Name of the Vulnerable Software and Affected Versions New API versions prior to 0.11.4-alpha.2 Description The software features an Insecure Direct Object Reference IDOR in the video proxy endpoint. Any authenticated user can access video content belonging to other users by exploiting a missing...
PT-2025-51890
Name of the Vulnerable Software and Affected Versions AVideo versions prior to 20.1 Description AVideo versions prior to 20.1 contain an insecure direct object reference issue. Users with upload permissions can modify the rotation metadata of any video. The ''/video/id'' endpoint verifies upload...
EUVD-2017-9596
Malware in sbrugna...
EUVD-2018-13476
Malware in sbrugna...
CVE-2018-20938
cPanel before 68.0.27 does not enforce ownership during addpkgext and delpkgext WHM API calls SEC-324...
CVE-2017-18480
cPanel before 62.0.4 does not enforce account ownership for hasmycnfforcpuser WHM API calls SEC-210...
CVE-2018-20938
cPanel before 68.0.27 does not enforce ownership during addpkgext and delpkgext WHM API calls SEC-324...