Lucene search
+L

11 matches found

cvelist
cvelist
added 2026/06/22 1:37 p.m.38 views

CVE-2026-8074 Improper Permission Check Allows User Manager to Deactivate Bot Accounts

Mattermost versions 11.7.x = 11.7.0, 10.11.x = 10.11.17 fail to enforce bot-specific permission checks on the user active status endpoint, which allows a User Manager with user management write access but no Integrations access to deactivate bot accounts via the PUT /api/v4/users/id/active API...

3.8CVSS0.00192EPSS
Exploits0References1
nvd
nvd
added 2026/06/20 4:17 p.m.13 views

CVE-2026-56276

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password has...

6CVSS0.00251EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/20 12:0 a.m.15 views

PT-2026-51151

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the 'PUT /api/v1/user' endpoint. This allows authenticated users to modify the credential field without proper validation. By providing a crafted password hash, an...

6CVSS5.9AI score0.00251EPSS
Exploits0References9
nvd
nvd
added 2026/06/10 12:16 a.m.16 views

CVE-2026-46518

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored cross-site scripting vulnerability in the prescription CSS/HTML multi-print feature allows a patient portal user to execute arbitrary JavaScript in a...

8.7CVSS0.00208EPSS
Exploits1References1
osv
osv
added 2026/05/27 5:9 p.m.3 views

CVE-2026-45717 Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL.

Budibase is an open-source low-code platform. Prior to 3.38.1, Budibase exposes a REST API for datasource management. The route PUT /api/datasources/:datasourceId is registered in the authorizedRoutes group with TABLE/READ permission. This is the same authorization level as the read endpoint GET...

8.8CVSS6.1AI score0.00251EPSS
Exploits0References4
cvelist
cvelist
added 2026/05/18 8:7 a.m.45 views

CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

3.1CVSS0.00143EPSS
Exploits0References1
osv
osv
added 2026/05/18 8:7 a.m.5 views

CVE-2026-4286 Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of member access via playbook update

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

3.1CVSS6AI score0.00143EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/05/18 12:0 a.m.18 views

PT-2026-41653

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Description An issue exists where the system fails to verify if the team id is modified during playbook updates. This allows users possessing only the Manag...

4.3CVSS5.8AI score0.00143EPSS
Exploits0References10
nvd
nvd
added 2026/04/02 8:16 p.m.9 views

CVE-2026-34762

Ella Core is a 5G core designed for private networks. Prior to version 1.8.0, the PUT /api/v1/subscriber/imsi API accepts an IMSI identifier from both the URL path and the JSON request body but never verifies they match. This allows an authenticated NetworkManager to modify any subscriber's polic...

2.7CVSS0.00185EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2024/06/06 12:0 a.m.14 views

PT-2024-18651 · Zenml Io · Zenml

Name of the Vulnerable Software and Affected Versions: zenml-io/zenml version 0.55.3 Description: An improper authorization issue exists in the zenml-io/zenml repository, specifically within the API "PUT /api/v1/users/id" endpoint. This issue allows any authenticated user to modify the informatio...

6.5CVSS6.5AI score0.00623EPSS
Exploits1References10
github
github
added 2024/04/24 5:6 p.m.42 views

OpenMetadata vulnerable to a SpEL Injection in `PUT /api/v1/events/subscriptions` (`GHSL-2023-251`)

SpEL Injection in PUT /api/v1/events/subscriptions GHSL-2023-251 Please note, only authenticated users have access to PUT / POST APIS for /api/v1/policies. Non authenticated users will not be able to access these APIs to exploit the vulnerability. A user must exist in OpenMetadata and have...

8.8CVSS8AI score0.02372EPSS
Exploits1References9Affected Software1
Rows per page
Query Builder