Lucene search
+L

3051 matches found

nvd
nvd
added 2026/07/08 2:17 p.m.6 views

CVE-2026-56220

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3path values that are served to device...

7.1CVSS0.00203EPSS
Exploits0References2
cve
cve
added 2026/07/08 1:49 p.m.19 views

CVE-2026-56778

CVE-2026-56778 (n8n) : Affected versions are n8n before 2.25.7 and 2.26.x before 2.26.2. The Public API execution retry endpoint authorizes with the workflow:read scope instead of workflow:execute, allowing an authenticated user with read-only access to a shared workflow to retry executions, bypa...

6.4CVSS6.1AI score0.00174EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/07/08 1:49 p.m.5 views

CVE-2026-56778 n8n - Authorization Bypass in Public API Execution Retry Endpoint

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an authorization bypass in the Public API execution retry endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a shared workflow can use the Public API to ret...

5.3CVSS6.2AI score0.00174EPSS
Exploits0References4
euvd
euvd
added 2026/07/08 1:49 p.m.7 views

EUVD-2026-42263

n8n before 1.123.55, 2.25.7, and 2.26.2 contains an authorization bypass in the POST /workflows/workflowId/test-runs/new endpoint, which authorizes access using the workflow:read scope instead of workflow:execute. An authenticated user with read-only access to a workflow can trigger a real...

7.4CVSS6.1AI score0.00161EPSS
Exploits0References2
cve
cve
added 2026/07/08 1:49 p.m.17 views

CVE-2026-56776

CVE-2026-56776 affects n8n versions prior to 1.123.55, 2.25.7, and 2.26.2. The issue is an authorization bypass in POST /workflows/{workflowId}/test-runs/new where access is granted using workflow:read instead of workflow:execute, enabling an authenticated user with read-only access to trigger a ...

7.4CVSS6.1AI score0.00161EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/07/08 1:48 p.m.30 views

CVE-2026-56220 Capgo - Unauthorized Manifest Insertion via Read-Only Org Member

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3path values that are served to device...

7.1CVSS0.00203EPSS
Exploits0References2
euvd
euvd
added 2026/07/08 1:48 p.m.4 views

EUVD-2026-42247

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3path values that are served to device...

7.1CVSS6AI score0.00203EPSS
Exploits0References2
osv
osv
added 2026/07/08 1:48 p.m.3 views

CVE-2026-56220 Capgo - Unauthorized Manifest Insertion via Read-Only Org Member

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.manifest INSERT policy that allows read-only org members to insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3path values that are served to device...

7.1CVSS6.2AI score0.00203EPSS
Exploits0References4
cve
cve
added 2026/07/08 1:48 p.m.9 views

CVE-2026-56220

Capgo before version 12.128.2 contains an authorization bypass in the public.manifest INSERT policy that lets read-only org members insert OTA manifest rows. Attackers with read-only org access can inject malicious manifest entries with arbitrary s3_path values, which are served to devices via th...

7.1CVSS6AI score0.00203EPSS
Exploits0References2
cve
cve
added 2026/07/08 1:30 p.m.7 views

CVE-2026-60124

The CVE-2026-60124 in MISP concerns an authorization bypass in EventsController::importModule(). When an import module returns results in the misp_standard format, the write path failed to verify event modification rights, allowing authenticated users or read-only API keys with event view access ...

5.3CVSS6AI score0.0022EPSS
Exploits0References1
cvelist
cvelist
added 2026/07/08 1:30 p.m.31 views

CVE-2026-60124 MISP importModule missing authorization allows read-only users to modify events via misp_standard imports

An authorization bypass in MISP’s EventsController::importModule allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the mispstandard format, the write path did not verify eve...

5.3CVSS0.0022EPSS
Exploits0References1
osv
osv
added 2026/07/08 1:30 p.m.4 views

CVE-2026-60124 MISP importModule missing authorization allows read-only users to modify events via misp_standard imports

An authorization bypass in MISP’s EventsController::importModule allowed authenticated users or read-only API keys with event view access to persist data to events they were not allowed to modify. When an import module returned results in the mispstandard format, the write path did not verify eve...

5.3CVSS6.1AI score0.0022EPSS
Exploits0References4
cvelist
cvelist
added 2026/07/08 12:22 a.m.38 views

CVE-2026-55433 Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, perform...

5.4CVSS0.00394EPSS
Exploits0References6
cve
cve
added 2026/07/08 12:22 a.m.28 views

CVE-2026-55433

Coder: Devcontainer recreate endpoint lacked ActionUpdate authorization, allowing read-only workspace roles to trigger destructive rebuilds. Affected versions prior to 2.29.7, 2.32.7, 2.33.8, and 2.34.2 trusted by the endpoint; fix adds ActionUpdate check before dialing the agent, mirroring the d...

5.4CVSS6AI score0.00394EPSS
Exploits0References6Affected Software1
osv
osv
added 2026/07/08 12:22 a.m.7 views

CVE-2026-55433 Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, perform...

5.4CVSS6AI score0.00394EPSS
Exploits0References8
nvd
nvd
added 2026/07/07 3:16 p.m.8 views

CVE-2026-59709

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS0.002EPSS
Exploits0References4
euvd
euvd
added 2026/07/07 2:12 p.m.5 views

EUVD-2026-42046

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References4
cve
cve
added 2026/07/07 2:12 p.m.10 views

CVE-2026-59709

Ghostfolio CVE-2026-59709 affects the PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint. The root cause is a missing verification of Access.permissions when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with va...

5.3CVSS6AI score0.002EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/07/07 2:12 p.m.4 views

CVE-2026-59709 Ghostfolio - Unauthorized Portfolio Holding Tag Modification via Missing Permission Check

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References4
attackerkb
attackerkb
added 2026/07/07 2:12 p.m.8 views

CVE-2026-59709

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS6AI score0.002EPSS
Exploits0References5
Rows per page
Query Builder