12 matches found
PT-2026-37282
Name of the Vulnerable Software and Affected Versions Grav API Plugin versions prior to 1.0.0-beta.15 Description An insecure direct object reference and logic flaw in the update function of the UsersController allows any authenticated user with basic api.access permissions to modify their own...
CVE-2026-31445 mm/damon/core: avoid use of half-online-committed context
In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: avoid use of half-online-committed context One major usage of damoncall is online DAMON parameters update. It is done by calling damoncommitctx inside the damoncall callback function. damoncommitctx can fail for tw...
CVE-2026-27898
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipherid and call "PUT /api/ciphers/id/partial" Even though the standard retrieval API correctly denies access...
CVE-2026-27898 Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipherid and call "PUT /api/ciphers/id/partial" Even though the standard retrieval API correctly denies access...
CVE-2026-27898 Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipherid and call "PUT /api/ciphers/id/partial" Even though the standard retrieval API correctly denies access...
CVE-2026-27898
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipherid and call "PUT /api/ciphers/id/partial" Even though the standard retrieval API correctly denies access...
CVE-2026-27898
Vaultwarden (unofficial Bitwarden-compatible server) is affected by CVE-2026-27898 prior to version 1.35.4. An authenticated regular user can specify another user’s cipher_id and call PUT /api/ciphers/{id}/partial; the endpoint returns 200 OK and exposes cipherDetails (name, notes, data, secureNo...
CVE-2026-27898 Vaultwarden: Unauthorized Access via Partial Update API on Another User’s Cipher
Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, an authenticated regular user can specify another user’s cipherid and call "PUT /api/ciphers/id/partial" Even though the standard retrieval API correctly denies access...
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
Summary In the test environment, it was confirmed that an authenticated regular user can specify another user’s cipherid and call: PUT /api/ciphers/id/partial Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes...
EUVD-2026-9504
Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher...
GHSA-W9F8-M526-H7FH Vaultwarden has Unauthorized Access via Partial Update API on Another User’s Cipher
Summary In the test environment, it was confirmed that an authenticated regular user can specify another user’s cipherid and call: PUT /api/ciphers/id/partial Even though the standard retrieval API correctly denies access to that cipher, the partial update endpoint returns 200 OK and exposes...
PT-2026-23073
Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.4 Description Vaultwarden, a Bitwarden compatible server, had a flaw where an authenticated user could access another user’s cipher details by specifying their cipher id in a "PUT" request to the...