3 matches found
CVE-2026-50279 Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap
Craft CMS is a content management system CMS. IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author...
GHSA-F8Q6-3G5W-JJR6 Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...
keycloak: Improper authorization for master realm
A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. This flaw makes adding users to the master realm possible even though no respective permission was granted...