11 matches found
CVE-2026-34233
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators onl...
CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
CVE-2026-42349 Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has, auth.protect, and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be...
EUVD-2026-24574
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...
EUVD-2026-11406
Winter vulnerable to privilege escalation by authenticated backend users...
CVE-2026-27591 Winter: Privilege escalation by authenticated backend users
Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions assigned to their...
CVE-2025-42936
The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impac...
Improper Access Control
aimeos/ai-admin-graphql is vulnerable to an Improper Access Control. The vulnerability is due to insufficient restrictions or checks on user roles and permissions, allowing an editor to modify and take over an admin account in the back end...
PT-2024-34584 · Lunary · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary versions 1.2.2 through 1.2.25 Description: The issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not...
Human vs. Non-Human Identity in SaaS
In today's rapidly evolving SaaS environment, the focus is on human users. This is one of the most compromised areas in SaaS security management and requires strict governance of user roles and permissions, monitoring of privileged users, their level of activity dormant, active, hyperactive, thei...
CVE-2022-32251
A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.1. There is a missing authentication verification for a resource used to change the roles and permissions of a user. This could allow an attacker to change the permissions of any user and gain the privileges of an...