Lucene search
K

235 matches found

Cvelist
Cvelist
added yesterday17 views

CVE-2026-58319 Apache Doris: Improper Authentication in Frontend HTTP API

Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...

0.00255EPSS
Exploits0References1
CVE
CVE
added yesterday11 views

CVE-2026-58319

CVE-2026-58319 concerns Apache Doris Frontend (FE) HTTP REST administrative APIs that were reachable without authentication. The available data states an unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially compromis...

9.1CVSS6.1AI score0.00255EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/24 9:1 p.m.2 views

CVE-2026-33543 FOSSBilling: Authentication bypass allows unauthenticated administrator creation

FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already...

9.3CVSS5.9AI score0.00289EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/22 8:10 a.m.9 views

EUVD-2025-210297

The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy BLE interface...

8.7CVSS5.9AI score0.00207EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.9 views

CVE-2026-40291

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/id endpoint allows any authenticated user with ROLESTUDENT to escalate their privileges to ROLEADMIN by modifying the roles field o...

8.8CVSS5.5AI score0.00316EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/29 2:46 p.m.13 views

EUVD-2018-21919

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST...

6.9CVSS5.7AI score0.00162EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/27 5:9 p.m.17 views

EUVD-2026-32602

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

8.8CVSS6AI score0.00261EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.11 views

Lumiverse 竞争条件问题漏洞

Lumiverse is a full-featured AI chat application suite developed by Prolix OCs’ individual developers. Versions of Lumiverse prior to 0.9.7 contained a race condition vulnerability. This vulnerability stemmed from the fact that the consumeNonce function only checked whether module-level variables...

4.8CVSS5.8AI score0.00118EPSS
Exploits0References2
OSV
OSV
added 2026/05/16 4:16 p.m.2 views

CVE-2020-37241

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts...

6.9CVSS5.9AI score
Exploits0References4
EUVD
EUVD
added 2026/05/13 6:30 p.m.12 views

EUVD-2020-31218

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=adduser endpoint with POST requests...

5.1CVSS5.7AI score0.0014EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/13 2:22 p.m.9 views

CVE-2020-37217

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=adduser endpoint with POST requests...

5.1CVSS5.7AI score0.0014EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.14 views

PT-2026-40618

Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages. Attackers can craft HTML forms targeting the admin.php?action=add user endpoint with POST requests...

5.1CVSS5.7AI score0.0014EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/08 10:59 p.m.7 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the nnef-oam route group due to missing inbound authentication and authorization checks. An attacker can gain unauthorized access to administrative operations by sending unauthenticated requests to the exposed...

10CVSS5.8AI score0.00311EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/04 9:28 p.m.9 views

Missing Authentication for Critical Function

Overview github.com/0xJacky/Nginx-UI/api/system is a yet another Nginx Web UI Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the api/install endpoint during the initial setup process. An attacker can gain unauthorized administrative access by...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References2
GithubExploit
GithubExploit
added 2026/05/04 7:17 p.m.105 views

Exploit for Missing Authentication for Critical Function in Cpanel

A recente vulnerabilidade CVE-2026-41940 trouxe grande preocupaç...

9.8CVSS6AI score0.981EPSS
Exploits64
Tenable Nessus
Tenable Nessus
added 2026/04/24 12:0 a.m.8 views

Rclone 1.45.x < 1.73.5 Authentication Bypass (CVE-2026-41176)

The version of Rclone installed on the remote host is 1.45.x prior to 1.73.5. It is, therefore, affected by an authentication bypass vulnerability: - The RC endpoint options/set is exposed without AuthRequired, but it can mutate global runtime configuration, including the RC option block itself. ...

9.8CVSS5.6AI score0.34734EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/23 3:7 p.m.6 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the options/set endpoint. An attacker can set rc.NoAuth=true and override default AuthRequired: true which can lead to unauthorized access to sensitive administrative functionality,...

9.8CVSS5.7AI score0.34734EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/04/21 12:0 a.m.10 views

FreeScout 跨站请求伪造漏洞

FreeScout is a lightweight and powerful free open-source help desk and shared inbox built using PHP Laravel framework by FreeScout Inc. Versions of FreeScout prior to 1.8.215 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the email OAuth disconnection being...

5.4CVSS5.8AI score0.0012EPSS
Exploits0References2
Snyk
Snyk
added 2026/04/15 10:30 p.m.7 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.5AI score0.00509EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/10 4:3 p.m.8 views

CVE-2026-35669

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform...

8.8CVSS5.8AI score0.00298EPSS
Exploits0References4
Rows per page
Query Builder