SUSE CVE-2026-29195

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler PUT /api/users/username lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to...

Netmaker has Privilege Escalation from Admin to Super-Admin via User Update

The user update handler PUT /api/users/username lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the...

CVE-2026-29195

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler PUT /api/users/username lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to...

EUVD-2010-5255

Malware in sbrugna...

CVE-2010-5296

wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the deleteusers capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action...

CVE-2024-56525

In Public Knowledge Project PKP OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and insert a backdoor plugin, by uploading a crafted XML document as a User XML Plugin...

CVE-2024-56525

In Public Knowledge Project PKP OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super admin in the journal context, and insert a backdoor plugin, by uploading a crafted XML document as a User XML Plugin...

Annotation tool: token forgery using jwt secret to claim super admin role

Although the annotator tool's source code is not directly provided in the repository a docker image is provided. From there it is easy to get access to the source code by either extracting the docker tar image, which can be exported from docker itself, or connecting to the container with an...

CVE-2022-21663 Authenticated Object Injection in Multisites in WordPress

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3...