2379 matches found
CVE-2026-53640
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, low-privileged staff accounts may read sensitive data via admin API endpoints that lack permission checks. While sibling write endpoints correctly enforce fine-grained permissions, the corresponding...
CVE-2026-53643 FOSSBilling allows low-privileged staff accounts to perform unauthorized actions via admin API endpoints
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the canalwaysaccess module flag which grants all staff access to certain...
CVE-2026-53643
FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 allow low-privileged staff accounts to perform unauthorized actions via admin API endpoints. The root cause is a combination of the canalwaysaccess module flag which grants all staff access to certain...
CVE-2026-53913 Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted
Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...
CVE-2026-27771
Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information...
CVE-2026-24690
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches...
CVE-2026-20909
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries...
CVE-2026-27771 Gitea Composer package source links use insufficient permission checks
Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information...
CVE-2026-27660 Gitea draft releases use insufficient permission checks
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission...
CVE-2026-27771
Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information...
CVE-2026-27771
CVE-2026-27771 affects Gitea container registry prior to 1.26.2. The root cause is ReqContainerAccess not enforcing per-owner visibility, allowing ghost users (UserID: -1) to access private container images via standard OCI/Docker endpoints. Impact: unauthenticated access can expose private/inter...
EUVD-2026-41620
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches...
CVE-2026-24690 Gitea pull-request branch updates use insufficient permission checks
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches...
CVE-2026-24690
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches...
EUVD-2026-41615
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries...
CVE-2026-20909 Gitea tracked-time list endpoint has insufficient permission checks
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries...
CVE-2026-20909
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries...
EUVD-2026-41214
Craft CMS: Authorship spoofing in entries/save-entry via pre-check/post-mutation authorization gap...
EUVD-2026-40937
The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permissioncallback performin...
EUVD-2026-40356
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...