33 matches found
CVE-2026-54262
Wagtail’s CVE-2026-54262 affects the translation feature. In versions before 7.0.8, 7.3.3, and 7.4.2, a user with the can submit translation permission could create translations for any page, including pages they lack access to. The root cause is described as a permission/authorization issue rela...
CVE-2026-47350 TYPO3 CMS - Broken Access Control in DataHandler
Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3...
CVE-2026-47350 TYPO3 CMS - Broken Access Control in DataHandler
Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3...
CVE-2026-44200
CVE-2026-44200 Overview (Wagtail) : Wagtail (Django-based CMS) had a permission flaw where a user with limited access to pages could copy a page they cannot access to a location they can, then view its contents and potentially publish it. The root cause was that source-page permissions were not e...
CVE-2026-40099
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...
EUVD-2026-25370
Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-001576)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001576 advisory. arch/x86/kvm/mmu/pagingtmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection...
CVE-2025-65089 XWiki view file macro: User can view content of office file without view rights on the attachment
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched in version 1.27.0...
EUVD-2020-24909
Malware in sbrugna...
EUVD-2015-8823
Malware in sbrugna...
GHSA-9436-3GMP-4F53 grav Server-side Template Injection (SSTI) mitigation bypass
Summary The fix for SSTI using |map, |filter and |reduce twigs implemented in the commit 71bbed1 introduces bypass of the denylist due to incorrect return value from isDangerousFunction, which allows to execute the payload prepending double backslash \ Details The isDangerousFunction check in...
PT-2023-24777 · Grav · Grav
Name of the Vulnerable Software and Affected Versions: Grav versions prior to 1.7.42 Description: The issue concerns a flat-file content management system where the denylist, introduced to prevent the execution of dangerous functions via malicious template injection, was insufficient. This allowe...
Moodle 安全漏洞
Moodle is a free, open source e-learning software platform, also known as a course management system, learning management system, or virtual learning environment. A security vulnerability exists in Moodle that stems from an insufficient restriction of start page preferences, which can be exploite...
SUSE CVE-2015-8967
arch/arm64/kernel/sys.c in the Linux kernel before 4.0 allows local users to bypass the "strict page permissions" protection mechanism and modify the system-call table, and consequently gain privileges, by leveraging write access...
SUSE CVE-2021-38198
arch/x86/kvm/mmu/pagingtmpl.h in the Linux kernel before 5.12.11 incorrectly computes the access permissions of a shadow page, leading to a missing guest protection page fault...
TotoLink A702r 安全漏洞
TOTOLINK A702r is a router device from China-based Gion Electronics TOTOLINK.A security vulnerability exists in TOTOLINK A702r, which stems from the product's login page that does not add effective permission control for directory access. An attacker can access the /add/, /img/, /js/, /mobile...
Linux kernel 安全漏洞
Linux kernel is the kernel used by the Linux Foundation's open source operating system Linux. Linux kernel is vulnerable due to a failure to properly access permissions flaw in the shadow page in arch/x86/kvm/mmu/pagingtmpl.h. By sending a build request, a local attacker could exploit this flaw t...
UBUNTU-CVE-2021-29971
If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. This bug only affects Firefox for Android. Other operating systems are unaffected.. This vulnerability affects Firefox 90...
CVE-2020-26260 Server Side Request Forgery in BookStack
BookStack is a platform for storing and organising information and documentation. In BookStack before version 0.30.5, a user with permissions to edit a page could set certain image URL's to manipulate functionality in the exporting system, which would allow them to make server side requests and/o...
CVE-2020-26211 Cross-Site Scripting in BookStack
In BookStack before version 0.30.4, a user with permissions to edit a page could insert JavaScript code through the use of javascript: URIs within a link or form which would run, within the context of the current page, when clicked or submitted. Additionally, a user with permissions to edit a pag...