CVE-2026-46425 Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users

Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM checks the Enterprise feature flag and SCIM config and doInScimContext sets the SCIM request context. There is no role check...

CVE-2026-27198 Formwork Improperly Manages Privileges During User Creation

Formwork is a flat file-based Content Management System CMS. In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has...

Formwork 安全漏洞

Formwork is an open-source content management system CMS developed by Formwork. It is used to build and manage simple websites. Versions 2.0.0 to 2.3.3 of Formwork have security vulnerabilities. These vulnerabilities stem from improper role-based authorization during account creation, which may...

GHSA-34P4-7W83-35G2 Formwork Improperly Managed Privileges in User creation

Summary The application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an...

Formwork Improperly Managed Privileges in User creation

Summary The application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has sufficient privileges to assign highly privileged roles such as admin. As a result, an...

EUVD-2018-11883

Malware in sbrugna...

EUVD-2012-4478

Malware in sbrugna...

EUVD-2022-3432

Malicious code in bioql PyPI...

EUVD-2022-1908

Malicious code in bioql PyPI...

EUVD-2022-5195

Malicious code in bioql PyPI...

CVE-2021-21624

An incorrect permission check in Jenkins Role-based Authorization Strategy Plugin 3.1 and earlier allows attackers with Item/Read permission on nested items to access them, even if they lack Item/Read permission for parent folders...

PT-2023-7609 · Quarkus · Quarkus

Name of the Vulnerable Software and Affected Versions: Quarkus affected versions not specified Description: The issue is related to the incorrect implementation of the sequence of actions in the Quarkus Java framework's WebSocket technology, resulting from insufficient access restriction when...

Apache Druid < 0.17.1 LDAP Injection

When LDAP authentication is enabled in Apache Druid 0.17.0, callers of Druid APIs with a valid set of LDAP credentials can bypass the credentialsValidator.userSearch filter barrier that determines if a valid LDAP user is allowed to authenticate with Druid. They are still subject to role-based...

The onlySeaport is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact The onlySeaport holds a lot of power within the system, which can compromise the system integrity and it's permission-less nature. Having a single EOA as onlySeaport is a large centralization risk and a single point of failure. A single private key may b...

The admin is a single point of failure and a centralization risk

Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Consider...

Upgraded Q -> 2 from #66 [1686923855595]

Judge has assessed an item in Issue 66 as 2 risk. The relevant finding follows: L-13 The owner is a single point of failure and a centralization risk Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken ...

The owner is a single point of failure and a centralization risk (06 Instances)

Lines of code Vulnerability details Impact Having a single EOA as the only owner of contracts is a large centralization risk and a single point of failure. A single private key may be taken in a hack, or the sole holder of the key may become unable to retrieve the key when necessary. Tools Used...

Jenkins Role-based Authorization Strategy Plugin grants permissions even after they’ve been disabled

Permissions in Jenkins can be enabled and disabled. Some permissions are disabled by default, e.g., Overall/Manage or Item/Extended Read. Disabled permissions cannot be granted directly, only through greater permissions that imply them e.g., Overall/Administer or Item/Configure. Role-based...

CVE-2023-28668

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fae51 and earlier grants permissions even after they've been disabled...

CVE-2023-28668

Jenkins Role-based Authorization Strategy Plugin 587.v2872c41fae51 and earlier grants permissions even after they've been disabled...