Lucene search
+L

2726 matches found

Github Security Blog
Github Security Blog
added 2026/05/11 2:5 p.m.19 views

Open WebUI's Improper Authorization in Standard Channels Allows Message Updates with Read Permission

Vulnerability Description In standard channels i.e., channels whose channel.type is neither group nor dm, the endpoint POST /api/v1/channels/channelid/messages/messageid/update can be accessed with read permission only. When accesscontrol is set to None, the authorization check hasaccess...,...

6.5CVSS5.7AI score0.00277EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.13 views

PT-2026-39673

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6 Description In standard channels where channel.type is neither group nor dm, the endpoint "POST /api/v1/channels/channel id/messages/message id/update" can be accessed with read permission only. When access...

6.5CVSS6AI score0.00277EPSS
Exploits1References13
Positive Technologies
Positive Technologies
added 2026/05/10 12:0 a.m.25 views

PT-2026-41175

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.5.7 Description An issue exists where a user can modify another user's model regardless of whether its visibility is set to Private. By altering access permissions during the editing process, unauthorized access...

6.8CVSS5.8AI score0.00226EPSS
Exploits1References12
RedhatCVE
RedhatCVE
added 2026/05/06 8:22 p.m.9 views

CVE-2026-3601

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS5.9AI score0.003EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/05 7:0 p.m.9 views

CVE-2026-32699 FacturaScripts unauthorized modification of immutable nick field via EditUser controller

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...

5.3CVSS5.8AI score0.0033EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/05 7:0 p.m.45 views

CVE-2026-32699 FacturaScripts unauthorized modification of immutable nick field via EditUser controller

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...

5.3CVSS0.0033EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/05 7:0 p.m.6 views

CVE-2026-32699

FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser controller. Although the user interface prevents editing this field, a user can bypass this restriction b...

5.3CVSS5.8AI score0.0033EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/05/05 9:16 a.m.16 views

CVE-2026-3601

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS0.003EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/05/05 8:27 a.m.8 views

CVE-2026-3601 User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS5.9AI score0.003EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.21 views

PT-2026-36971

The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Live Action::reset function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress init action and triggers when both post...

6.5CVSS5.8AI score0.00355EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.9 views

CVE-2026-4100

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.7 views

CVE-2026-3143

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxclicancel' function in all versions up to, and including, 1.17.1. This makes it possible for...

5.3CVSS5.8AI score0.00257EPSS
Exploits1References1
NVD
NVD
added 2026/05/02 12:16 p.m.11 views

CVE-2026-4100

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS0.00247EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/02 11:16 a.m.38 views

CVE-2026-4100 Paid Memberships Pro <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS0.00247EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/02 11:16 a.m.18 views

EUVD-2026-26782

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/02 11:16 a.m.5 views

CVE-2026-4100

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References3
CVE
CVE
added 2026/05/02 11:16 a.m.29 views

CVE-2026-4100

The CVE concerns the Paid Memberships Pro plugin for WordPress, affecting all versions up to 3.6.5. The root cause is missing capability checks on three AJAX handlers: wp_ajax_pmpro_stripe_create_webhook, wp_ajax_pmpro_stripe_delete_webhook, and wp_ajax_pmpro_stripe_rebuild_webhook. This allows a...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
OSV
OSV
added 2026/04/28 10:39 p.m.5 views

GHSA-PP79-HQV6-VMC3 FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field

Summary The application fails to validate the nick parameter during a POST request to the EditUser controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account including the Administrator. This leads to Broken Access Control and...

5.3CVSS5.8AI score0.0033EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/28 10:39 p.m.16 views

FacturaScripts has Insecure Parameter Handling: Unauthorized Modification of Immutable 'nick' Field

Summary The application fails to validate the nick parameter during a POST request to the EditUser controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account including the Administrator. This leads to Broken Access Control and...

5.3CVSS5.2AI score0.0033EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/04/28 6:10 p.m.5 views

EUVD-2026-26116

OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model...

4.3CVSS5.2AI score0.00237EPSS
Exploits0References3
Rows per page
Query Builder