Lucene search
K

25 matches found

CVE
CVE
added 2026/06/22 9:46 p.m.28 views

CVE-2026-48067

CVE-2026-48067 affects Filament components where the recordSelectOptionsQuery() used to scope options in AttachAction and AssociateAction Select fields did not apply the same scope in validation. From filament/actions 4.0.0–4.11.4 and 5.6.4, and filament/tables 3.0.0–3.3.51, an attacker could tri...

6.5CVSS5.8AI score0.00178EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 11:43 a.m.5 views

CVE-2026-56422

Multiple MISP core controllers and model capture paths accepted client-controlled request fields such as primary keys id and ownership/scope foreign keys eventid, orgid, userid, sharinggroupid, galaxyclusteruuid, organisationuuid, and related nested object identifiers without consistently...

9.4CVSS6AI score0.00362EPSS
Exploits0References17
OSV
OSV
added 2026/06/18 3:32 p.m.5 views

GHSA-5GF6-GC35-XJPC MCP Toolbox for Databases: authenticated authorization bypass

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol...

8.6CVSS5.9AI score0.0015EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/18 11:55 a.m.5 views

CVE-2026-11719

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol...

8.6CVSS5.5AI score0.0015EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/18 11:55 a.m.28 views

CVE-2026-11719

CVE-2026-11719 describes an authenticated authorization bypass in MCP Toolbox for Databases due to missing scope enforcement on older protocol handlers. The 2025-11-25 protocol version handler enforces per-tool scope restrictions, but older versions (2025-06-18, 2025-03-26, 2024-11-05) omit this ...

8.6CVSS5.5AI score0.0015EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/18 11:55 a.m.23 views

CVE-2026-11719

An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol...

8.6CVSS0.0015EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.30 views

PT-2026-50661

Name of the Vulnerable Software and Affected Versions MCP Toolbox for Databases affected versions not specified Description An authenticated authorization bypass occurs due to missing scope enforcement in older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces...

8.6CVSS5.9AI score0.0015EPSS
Exploits0References10
OSV
OSV
added 2026/06/16 11:41 p.m.6 views

GHSA-8629-VC8R-5P58 Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw

Summary Two related issues in the token public-only scope enforcement introduced by PR 32204 CVE-2025-68941 fix. A public-only scoped API token can access private organization data. Issue 1: /user/orgs missing checkTokenPublicOnly routers/api/v1/api.go line 1599: go m.Get"/user/orgs", reqToken,...

4.3CVSS5.5AI score0.00271EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/16 11:40 p.m.10 views

Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication

Summary Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only read:user can use the same token as Authorization: Basic base64:x-oauth-basic and perform write actions, including...

8.1CVSS5.4AI score0.00566EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.19 views

PT-2026-50135

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An issue exists in the token public-only scope enforcement where a public-only scoped API token can access private organization data. This occurs due to two flaws: the endpoint '/user/orgs' is...

4.3CVSS5.8AI score0.00271EPSS
Exploits0References8
OSV
OSV
added 2026/05/21 8:34 p.m.8 views

GHSA-M5QG-RVJQ-727P NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation

Summary The OAuth token strategy attached oauthscope and oauthgrantedresources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope e.g. MCP-only therefore inherited the full permissions of the underlying user across all routes; the...

2CVSS5.8AI score0.00151EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.14 views

PT-2026-42675

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.04.1 Description The OAuth token strategy attaches oauth scope and oauth granted resources to the request user, but the ACL Access Control List middleware fails to consult these values. Consequently, an OAuth toke...

2CVSS5.8AI score0.00151EPSS
Exploits0References7
GithubExploit
GithubExploit
added 2026/04/30 4:21 a.m.78 views

exploit-tool

Exploit-Tool Single-console pentest platform built on authori...

5.5AI score
Exploits0
GithubExploit
GithubExploit
added 2026/04/29 2:46 p.m.122 views

Threatswarm

27 scope-enforced AI agents that run the full pentest kill-cha...

10CVSS7.5AI score0.99999EPSS
Exploits351
Patchstack
Patchstack
added 2026/04/25 11:45 p.m.9 views

NPM: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

NPM: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

6.5CVSS5.8AI score0.00222EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/25 11:45 p.m.12 views

OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact The Control UI assistant-media route authenticated trusted-proxy callers but did not enforce the declared operator scopes for identity-bearing HTTP auth paths. A trusted-proxy...

6.5CVSS5.3AI score0.00222EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/23 6:33 p.m.8 views

Duplicate Advisory: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8qf-fr4g-28p2. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows...

6.5CVSS5.7AI score0.00222EPSS
Exploits0References5Affected Software1
Snyk
Snyk
added 2026/04/10 7:39 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization missing RequireScopes enforcement on privileged routes. An attacker can gain unauthorized access to privileged endpoints and export sensitive backup data by using a deliberately limited admin access token on rout...

6.4CVSS5.8AI score
Exploits0References2
NVD
NVD
added 2026/04/10 5:17 p.m.5 views

CVE-2026-40103

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only...

5.4CVSS0.00222EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.7 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.22 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforcement of controlScope restrictions on sending operations, which could allow leaf agen...

5.3CVSS5.8AI score0.002EPSS
Exploits0References4
Rows per page
Query Builder