Lucene search
K

106 matches found

NVD
NVD
added 2026/06/29 8:17 p.m.7 views

CVE-2026-31016

Cross Site Request Forgery vulnerability in Squidex.io Squidex CMS v.7.21.0 and before allows a remote attacker to escalate privileges via the IdentityServer account profile endpoint...

6.5CVSS0.00186EPSS
Exploits0References4
NVD
NVD
added 2026/06/23 1:16 p.m.14 views

CVE-2025-71337

Flowise before 3.0.10 affected versions 3.0.7 and earlier contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the...

8.7CVSS0.00296EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/06/23 12:12 p.m.35 views

CVE-2025-71337 Flowise - Unverified Email Change via Account Profile Endpoint

Flowise before 3.0.10 affected versions 3.0.7 and earlier contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the...

8.7CVSS0.00296EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/23 12:12 p.m.8 views

EUVD-2025-210304

Flowise before 3.0.10 affected versions 3.0.7 and earlier contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the...

8.7CVSS5.8AI score0.00296EPSS
Exploits1References2
CVE
CVE
added 2026/06/23 12:12 p.m.15 views

CVE-2025-71337

CVE-2025-71337 affects Flowise before 3.0.10 (impacted: 3.0.7 and earlier). A authenticated user can change the account email via the account profile endpoint without confirming the change to the original email or re-entering the current password, enabling potential account takeover and abuse of ...

8.7CVSS5.8AI score0.00296EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/06/18 4:13 p.m.26 views

CVE-2026-54105

The CVE concerns CVE-2026-54105 affecting the GAO EPDS and CBCA EDS systems. The vulnerability arises from the update-profile/ API endpoint, where a remote, unauthenticated attacker can supply an arbitrary user_id and receive a JSON response containing account-specific information, including the ...

6.9CVSS5.3AI score0.003EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/18 4:13 p.m.6 views

CVE-2026-54105

The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a reque...

6.9CVSS5.4AI score0.003EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/18 4:13 p.m.12 views

EUVD-2026-37912

The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS expose sensitive account information through the 'update-profile/' API endpoint. A remote, unauthenticated attacker can submit a reque...

6.9CVSS5.3AI score0.003EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/18 4:12 p.m.14 views

EUVD-2026-37910

The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could chang...

9.8CVSS5.4AI score0.00427EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/18 4:12 p.m.39 views

CVE-2026-54103 U.S. GAO EPDS and CBCA EDS unauthenticated password change

The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could chang...

9.8CVSS0.00427EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/18 4:12 p.m.6 views

CVE-2026-54103

The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPDS and Civilian Board of Contract Appeals CBCA Electronic Docketing System EDS does not authenticate password change requests to the '/update-profile/N' API endpoint. A remote, unauthenticated attacker could chang...

9.8CVSS5.5AI score0.00427EPSS
Exploits0References5
CVE
CVE
added 2026/06/18 4:12 p.m.27 views

CVE-2026-54103

CVE-2026-54103 affects GAO EPDS and CBCA EDS, where the /update-profile/N endpoint does not require authentication for password changes. The vulnerability allows a remote attacker to change an arbitrary user’s password without credentials. This result is supported by the CVSS data indicating high...

9.8CVSS5.4AI score0.00427EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.23 views

PT-2026-50705

Name of the Vulnerable Software and Affected Versions U.S. GAO Electronic Protest Docketing System EPDS affected versions not specified U.S. CBCA Electronic Docketing System EDS affected versions not specified Description The U.S. Government Accountability Office GAO Electronic Protest Docketing...

6.9CVSS5.9AI score0.003EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/05 7:30 p.m.10 views

CVE-2026-42870

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a Stored Cross-Site Scripting XSS flaw was identified at the following endpoint: funcionario/profilefuncionario.php?idfuncionario=2. By injecting a malicious payload into the 'Description' Descrição field and saving t...

6.4CVSS5.4AI score0.00281EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.9 views

CVE-2026-6375

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records PNRs without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw...

8.7CVSS5.5AI score0.00311EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/29 8:13 p.m.13 views

CVE-2026-9410

A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is possible to launc...

5.3CVSS5.4AI score0.00198EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/25 12:30 a.m.18 views

CVE-2026-9410

A vulnerability has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This vulnerability affects unknown code of the file /profile of the component Profile Workflow. Such manipulation of the argument ID leads to improper authorization. It is possible to launc...

5.3CVSS5.4AI score0.00198EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/23 8:7 p.m.6 views

CVE-2026-6375

A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records PNRs without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw...

8.7CVSS5.8AI score0.00311EPSS
Exploits0References2
NVD
NVD
added 2026/04/10 5:17 p.m.10 views

CVE-2026-35653

OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the...

8.1CVSS0.006EPSS
Exploits1References4
CVE
CVE
added 2026/04/10 4:3 p.m.12 views

CVE-2026-35653

OpenClaw prior to 2026.3.24 contains an incorrect authorization flaw in POST /reset-profile. Authenticated callers with operator.write access to browser.request can bypass profile mutation restrictions, potentially stopping the running browser, closing Playwright connections, and moving profile d...

8.1CVSS5.8AI score0.006EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder