GHSA-Q537-QHJ4-WCJX OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd

Summary An organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. Impact Full platform access, access to sensitive or proprietary information...

CVE-2026-22238

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...

PT-2026-2861

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...

CVE-2025-57210

Incorrect access control in the component ApiPayController.java of platform v1.0.0 allows attackers to access sensitive information via unspecified vectors...

EUVD-2024-1694

Malicious code in bioql PyPI...

CVE-2024-12767 BuddyBoss platform < 2.7.60 - Private Comment Exposure via IDOR

The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts...

CVE-2024-54681

Multiple bash files were present in the application's private directory. Bash files can be used on their own, by an attacker that has already full access to the mobile platform to compromise the translations for the application...

CVE-2024-0712 Byzoro Smart S150 Management Platform userattea.php access control

A vulnerability was found in Byzoro Smart S150 Management Platform V31R02B15. It has been classified as critical. Affected is an unknown function of the file /useratte/inc/userattea.php. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit...

CVE-2022-42442

IBM Robotic Process Automation for Cloud Pak 21.0.1, 21.0.2, 21.0.3, 21.0.4, and 21.0.5 is vulnerable to exposure of the first tenant owner e-mail address to users with access to the container platform. IBM X-Force ID: 238214...

What is OAuth ❓ All you need to know

Introduction You’ve probably heard about the dangers of giving out your passwords and why you should never do it. There are various protocols designed to protect you and prevent the need for inputting your passwords or log in credentials repeatedly. When a website needs your password to offer you...

FormaLMS 2.4.4 Authentication Bypass

Exploit Title: FormaLMS 2.4.4 - Authentication Bypass Google Dork: inurl:index.php?r=adm/ Date: 2021-11-10 Exploit Author: Cristian 'void' Giustini @ Hacktive Security Vendor Homepage: https://formalms.org Software Link: https://formalms.org Version: = 2.4.4 Tested on: Linux CVE : CVE-2021-43136...

Authentication flaw

An authentication bypass issue in FormaLMS = 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform...

CVE-2021-43136

An authentication bypass issue in FormaLMS = 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform...

TokenTactics - Azure JWT Token Manipulation Toolset

Azure JSON Web Token "JWT" Manipulation Toolset Azure access tokens allow you to authenticate to certain endpoints as a user who signs in with a device code. Even if they used multi-factor authentication. Once you have a user's access token, it may be possible to access certain apps such as...

CVE-2020-36124

Pax Technology PAXSTORE v7.0.820200511171508 and lower is affected by XML External Entity XXE injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user clients and administrators...

CVE-2020-36124

Pax Technology PAXSTORE v7.0.820200511171508 and lower is affected by XML External Entity XXE injection. An authenticated attacker can compromise the private keys of a JWT token and reuse them to manipulate the access tokens to access the platform as any desired user clients and administrators...

CVE-2020-15390

pyActivity in Pega Platform 8.4.0.237 has a security misconfiguration that leads to an improper access control vulnerability via =GetWebInfo...

HDHCMS has a logic flaw vulnerability

HDHCMS is an all-in-one self-service station building management system based on PC website + mobile website + WeChat small program + third-party platform access WeChat public number, Xiongpang number. HDHCMS has a logic flaw vulnerability. An attacker can exploit the vulnerability by constructin...