PT-2026-21344

Name of the Vulnerable Software and Affected Versions Formwork versions 2.0.0 through 2.3.3 Description Formwork is a flat file-based Content Management System CMS. The application does not properly enforce role-based authorization during account creation. Specifically, it does not verify if the...

EUVD-2025-6721

Malicious code in bioql PyPI...

RuoYi License Issue Vulnerability

RuoYi is a backend management system for individual developers in China RuoYi RuoYi. RuoYi 4.8.1 and previous versions of the authorization problem vulnerability, the vulnerability stems from the file / system / role / authUser / cancelAll in the parameter roleId and userIds there is improper...

Linux Distros Unpatched Vulnerability : CVE-2024-10978

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires...

CVE-2025-5953 WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Privilege Escalation via wp_ajax_hrm_insert_employee AJAX Action

The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajaxinsertemployee and updateempoyee functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $POST'role' and, after basic cleaning via...

GO-2025-3534 Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server

Mattermost Fails to Properly Perform Viewer Role Authorization in github.com/mattermost/mattermost-server...

CVE-2025-1472

Mattermost versions 9.11.x = 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics...

CVE-2025-1472

Mattermost versions 9.11.x = 9.11.8 fail to properly perform authorization of the Viewer role which allows an attacker with the Viewer role configured with No Access to Reporting to still view team and site statistics...

CVE-2025-21611

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

CVE-2025-21611 tgstation-server's role authorization incorrectly OR'd with user's enabled status

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

CVE-2025-21611 tgstation-server's role authorization incorrectly OR'd with user's enabled status

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

CVE-2025-21611

CVE-2025-21611 affects tgstation-server (BYOND server management). Before version 6.12.3, the authorization check for API methods used OR between the user-enabled status and the role, instead of AND. This error allowed enabled users to access most authorized actions regardless of their permission...

PT-2025-4299 · Unknown · Tgstation-Server

Name of the Vulnerable Software and Affected Versions: tgstation-server versions prior to 6.12.3 Description: The issue concerns improper role authorization in tgstation-server, a production-scale tool for BYOND server management. Prior to version 6.12.3, roles used to authorize API methods were...

CVE-2023-27525

CVE-2023-27525 affects Apache Superset up to 2.0.1. An authenticated user with the Gamma role could access metadata information using non-trivial methods, enabling information disclosure. Documented impact is limited to metadata exposure; no exploit vectors or fixes are provided in the supplied s...

CVE-2021-34766

A vulnerability in the web UI of Cisco Smart Software Manager On-Prem SSM On-Prem could allow an authenticated, remote attacker to elevate privileges and create, read, update, or delete records and settings in multiple functions. This vulnerability is due to insufficient authorization of the Syst...

Prisma Cloud Compute: User role authorization secret for Console leaked through log file export

An information exposure through log file vulnerability exists in the Palo Alto Networks Prisma Cloud Compute Console where a secret used to authorize the role of the authenticated user is logged to a debug log file. Authenticated Operator role and Auditor role users with access to the debug log...

CVE-2020-25276

An issue was discovered in PrimeKey EJBCA 6.x and 7.x before 7.4.1. When using a client certificate to enroll over the EST protocol, no revocation check is performed on that certificate. This vulnerability can only affect a system that has EST configured, uses client certificates to authenticate...

Authorization

IBM StoredIQ 7.6.0 does not implement proper authorization of user roles due to which it was possible for a low privileged user to access the application endpoints of high privileged users and also perform some state changing actions restricted to a high privileged user. IBM X-Force ID: 153119...

EAP: missing authorization check for Monitor/Deployer/Auditor role when shutting down server

It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users...

SA-CONTRIB-2012-096 - Authoring HTML - Cross Site Scripting (XSS)

This module creates an input format suitable for use within a WYSIWYG editor. It adds support for the iframe HTML tag, making it friendly with the popular iframe embeds available in popular video sites like YouTube and Vimeo. It supports the script tag too. Both tags will only be allowed if the...