Lucene search
K

2540 matches found

Cvelist
Cvelist
added 3 hours ago7 views

CVE-2026-58555

Permission bypass vulnerability in the card module. Impact: Successful exploitation of this vulnerability may affect availability...

6.6CVSS
Exploits0References2
EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-44658

Permission bypass vulnerability in the card module. Impact: Successful exploitation of this vulnerability may affect availability...

6.6CVSS6.1AI score
Exploits0References2
CVE
CVE
added 3 hours ago6 views

CVE-2026-58555

Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2026-58555.

6.6CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 4 hours ago3 views

EUVD-2026-44635

n8n before versions 1.123.61, 2.27.4, and 2.28.1 contains a permission bypass vulnerability in external secrets handling caused by a mismatch between the static validation check and the runtime expression engine. An authenticated user with credential create or update permissions but without the...

6CVSS6.2AI score
Exploits0References2
CVE
CVE
added 2 days ago12 views

CVE-2026-9824

Mattermost v11.7.x ≤ 11.7.2, v11.6.x ≤ 11.6.4, and v10.11.x ≤ 10.11.19 are affected by CVE-2026-9824 due to a missing check of the manage_shared_channels permission in the /share-channel autocomplete handler. This allows an authenticated user without that permission to enumerate remote cluster co...

4.3CVSS6.1AI score0.00162EPSS
Exploits0References1Affected Software1
NVD
NVD
added 5 days ago6 views

CVE-2026-61441

PraisonAI Platform praisonai-platform before 0.1.9 improperly authorizes deletion of issue dependencies. The DELETE dependency route accepts either endpoint of a dependency edge and checks delete permission only against the caller-selected URL issue. A workspace member who cannot delete a...

7.1CVSS0.00239EPSS
Exploits0References3
OSV
OSV
added 6 days ago3 views

CVE-2026-59227 Open WebUI: POST /api/v1/images/edit bypasses the global image-edit switch and the per-user image-generation permission

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.11 before 0.10.0, POST /api/v1/images/edit required only a verified account and did not enforce the global image-edit switch or the per-user image-generation permission, allowing a non-admin user to...

4.3CVSS6.1AI score0.00259EPSS
Exploits1References6
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-42589

The implementation of an internal and undocumented Dashboard API endpoint POST /api/users//user/tokens forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user with more...

8.7CVSS6.4AI score0.00281EPSS
Exploits0References1
CVE
CVE
added 6 days ago11 views

CVE-2026-12406

The CVE concerns the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration” (WPUF). All versions up to 4.3.7 are affected by an authorization bypass that allows unauthenticated attackers to delete arbitrary media attachments with pos...

5.3CVSS5.9AI score0.00323EPSS
Exploits0References10
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-42511

The Everest Forms WordPress plugin before 3.5.0 does not correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the capability check is only applied when an attacker-controllable request header holds a specific value, so it can be bypassed by omitting or...

6.5CVSS5.9AI score0.00179EPSS
Exploits0References1
NVD
NVD
added last week10 views

CVE-2026-59262

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails...

7.1CVSS0.00238EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added last week6 views

golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root

A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the Root.Chmod function is replaced with a symbolic link during execution, specifically after Root.Chmod checks the target but before acting, the chmod operation will be performed on the file the...

6.4CVSS6.8AI score0.00292EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/08 11:35 a.m.33 views

CVE-2026-3688 WCFM - WooCommerce Multivendor Membership <= 2.11.10 - Insecure Direct Object Reference to Limited Privilege Escalation via User Role Overwrite

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvmmembershipchange' AJAX action not validating user permission to modify other...

8.1CVSS0.00223EPSS
Exploits0References2
Snyk
Snyk
added 2026/07/03 10:19 p.m.7 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to insufficient permission checks in the draft release process. An attacker can access sensitive draft release data or attachments by bypassing required write permissions. Remediation Upgrade...

7.5CVSS6AI score0.00345EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/03 3:47 p.m.57 views

CVE-2026-14615 Keycloak-services: keycloak: fgap v2 parent group children endpoint bypasses per-child view permission filter

A flaw was found in the Fine-Grained Admin Permissions FGAP v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when requested through a parent group. This allows a...

4.3CVSS0.00172EPSS
Exploits0References2
NVD
NVD
added 2026/07/01 11:16 p.m.10 views

CVE-2026-50283

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId...

5.3CVSS0.00265EPSS
Exploits0References2
NVD
NVD
added 2026/07/01 11:16 p.m.8 views

CVE-2026-50284

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS0.00249EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 10:37 p.m.5 views

CVE-2026-50284

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/01 10:20 p.m.7 views

CVE-2026-50283

Craft CMS is a content management system CMS. Versions 5.0.0-RC1 through 5.9.20, and 4.0.0-RC1 through 4.17.13 contain an authorization issue in the AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId...

5.3CVSS5.8AI score0.00265EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/07/01 9:11 p.m.40 views

CVE-2026-54262 Wagtail: Pages translations can be created without page permissions when using simple_translation

Wagtail is an open source content management system built on Django. In versions prior to 7.0.8, 7.3.3 and 7.4.2, a low-level user with the "Can submit translation" permission can create translations for any page, including those they do not have permissions for. This issue has been fixed in...

4.3CVSS0.00162EPSS
Exploits0References1
Rows per page
Query Builder