CVE-2026-11986

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrato...

EUVD-2026-36267

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrato...

CVE-2026-11986

CVE-2026-11986 involves the Keycloak admin-ui-ext component. The root cause is that certain bulk role-removal endpoints do not perform granular permission checks when deleting role mappings, enabling a delegated administrator with limited permissions to remove highly privileged roles from other u...

CVE-2026-11986 Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk role-mapping-delete endpoints of keycloak

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrato...

CVE-2026-11986

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrato...

PT-2026-48695

A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a delegated administrato...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from the fact that the endpoint for batch role removal does not perform fine-grained permission checks. This could allow with limited permissions to remove...

OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

Background OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Token renewals for other authentication methods do not require any supplied login...

PT-2026-24584

🚨 CVE-2026-1753 The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options such as users can register. 🎖@cveNotify...

CVE-2026-31834

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

CVE-2026-31834

Umbraco CMS (ASP.NET) versions affected: 15.3.1 up to before 16.5.1 and 17.2.2. A privilege escalation vulnerability exists where authenticated backoffice users with permission to manage users may elevate privileges during modification of user group memberships due to insufficient authorization c...

CVE-2025-70128

A Stored Cross-Site Scripting XSS vulnerability exists in the PluXml article comments feature for PluXml versions 5.8.22 and earlier. The application fails to properly sanitize or validate user-supplied input in the "link" field of a comment. An attacker can inject arbitrary JavaScript code using...

PT-2026-5555

Name of the Vulnerable Software and Affected Versions Mult-E-Cart Ultimate version 2.4 Description The software contains multiple SQL injection flaws within the inventory, customer, vendor, and order modules. Attackers with vendor or administrator privileges can exploit the id parameter to execut...

EUVD-2020-27070

Malware in sbrugna...

EUVD-2025-26122

Malicious code in bioql PyPI...

CVE-2025-20232

CVE-2025-20232 affects Splunk Enterprise (versions prior to 9.3.3, 9.2.5, 9.1.8) and Splunk Cloud Platform (prior to 9.3.2408.103, 9.2.2406.108, 9.2.2403.113, 9.1.2312.208, 9.1.2308.212). A low-privileged user without admin/power roles can abuse the /app/search/search endpoint via the s parameter...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the API key name during its generation. An attacker can execute arbitrary scripts in the context of an admin's session by embedding malicious content into the API key name field. This is only exploitable if...

CVE-2025-23239

When running in Appliance mode, and logged into a highly-privileged role, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached E...

CM can exploit a pause in GuardCM to gain permanent unrestricted access

Lines of code Vulnerability details Impact The GuardCM contract is designed to restrict the Community Multisig CM actions within the protocol to only specific contracts and methods. Under specific circumstances, the protocol allows the guard to be paused, which temporarily pauses the guard and...

Two-step change of privileged roles

Lines of code Vulnerability details Impact Lack of two-step procedure for critical operations is error-prone and can lead to irrevocable mistakes, might leave the system operationally with no/malicious privileged role. For example, when transfer admin role, in a single-step change, if the current...