Lucene search
K

109 matches found

Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-8649 Institution scope bypass vulnerability in custom reports

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3...

6.4CVSS0.00234EPSS
Exploits0References1
CVE
CVE
added 5 days ago11 views

CVE-2026-8649

Summary of CVE-2026-8649 : An instance of Improper Neutralization of Special Elements in Data Query Logic affects MOVEit Transfer (Custom Reports modules). The issue impacts MOVEit Transfer versions prior to 2025.0.7 and from 2025.1.0 up to before 2025.1.3. The CVSS vectors indicate a high-severi...

9.8CVSS5.9AI score0.00234EPSS
Exploits0References1Affected Software1
NVD
NVD
added 5 days ago7 views

CVE-2026-55668

File Browser provides a web file managing interface. Prior to 2.63.16, ScopedFs validates the nearest existing ancestor of a dangling symlink as in scope and then follows the symlink during file creation, allowing an authenticated user with Create and Modify permissions to create...

6.3CVSS0.00269EPSS
Exploits0References3
CVE
CVE
added 5 days ago7 views

CVE-2026-10698

CVE-2026-10698 is an Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer, specifically affecting the Custom Reports module . Affected versions are MOVEit Transfer 2025.0.0–before 2025.0.8, 2025.1.0–before 2025.1.4, and 2026.0.0–before 2026.0.1...

7.2CVSS5.9AI score0.00442EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-10698 Table scope bypass vulnerability in custom reports

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer Custom Reports modules. This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1...

7.2CVSS0.00442EPSS
Exploits0References1
NVD
NVD
added 6 days ago7 views

CVE-2026-53935

Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, enabling hijacking traffic to Services in any namespa...

6.9CVSS0.00341EPSS
Exploits0References7
NVD
NVD
added 2026/07/03 9:16 p.m.5 views

CVE-2026-27761

Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope...

4.3CVSS0.00367EPSS
Exploits0References4
NVD
NVD
added 2026/07/03 9:16 p.m.5 views

CVE-2026-20706

Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint...

9.1CVSS0.00403EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/03 8:19 p.m.38 views

CVE-2026-28744 Gitea Git smart HTTP bypasses repository token scopes for bearer tokens

Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks...

8.1CVSS0.00343EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/03 8:19 p.m.6 views

CVE-2026-28699

Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication...

8.1CVSS5.8AI score0.00566EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/07/03 8:19 p.m.40 views

CVE-2026-28699 Gitea Basic Auth bypasses OAuth2 access token scopes

Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication...

8.1CVSS0.00566EPSS
Exploits1References4
CVE
CVE
added 2026/07/03 8:19 p.m.19 views

CVE-2026-27761

Gitea versions up to and including 1.26.2 expose private repository commit data via RSS/Atom feed endpoints by bypassing API access token scope checks. This affects feeds that do not enforce repository scope, allowing tokens without repository scope to access private data. Public references indic...

4.3CVSS7.1AI score0.00367EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/03 8:19 p.m.43 views

CVE-2026-27761 Gitea repository feeds bypass API token scope enforcement

Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope...

4.3CVSS0.00367EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/03 8:19 p.m.7 views

CVE-2026-20706

Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint...

5.9AI score0.00403EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.10 views

PT-2026-55602

Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.26.3 Description Repository RSS and Atom feed endpoints bypass API access token scope checks. This allows tokens that lack the necessary repository scope to access commit data from private repositories. Recommendation...

4.3CVSS7AI score0.00367EPSS
Exploits0References9
OSV
OSV
added 2026/07/02 4:6 p.m.4 views

GHSA-HW9R-H9MR-4JFF OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates

Summary Some internal command handlers require operator.approvals or operator.admin scopes. In affected releases, a scoped Gateway chat.send request delivered through an inherited external route could be evaluated as an external-channel command while still carrying the lower Gateway client scopes...

8.8CVSS5.8AI score0.00253EPSS
Exploits0References2
NVD
NVD
added 2026/06/30 3:16 p.m.15 views

CVE-2026-27883

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the GET /api/v1/deployments/uuid endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId ...

5CVSS0.00213EPSS
Exploits0References1
CVE
CVE
added 2026/06/30 12:0 p.m.21 views

CVE-2026-4629

CVE-2026-4629 affects Keycloak. A highly privileged user with the ability to manage clients can inject a hardcoded role mapper into any client, bypassing scope restrictions and injecting the realm-admin role into generated tokens, yielding full administrative access to the realm. The vulnerabilit...

6.5CVSS5.7AI score0.0024EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/29 5:20 p.m.33 views

CVE-2026-57951 Mythic < 3.4.0.60 - Broken Permission Filter in payload_build_step Table

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...

7.1CVSS0.00246EPSS
Exploits0References4
NVD
NVD
added 2026/06/25 7:16 p.m.11 views

CVE-2026-55667

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.16, a scoped, non-admin File Browser user holding only the Create permission can delete arbitrary files outside their scope other tenants' data, a...

8.2CVSS0.00359EPSS
Exploits0References1
Rows per page
Query Builder