CVE-2026-25161

CVE-2026-25161 affects Alist up to version 3.56.x, with a path traversal flaw in multiple file operation handlers. By injecting traversal sequences into filename components, an authenticated user can bypass directory-level authorisation and perform unauthorised removal, movement, or copying of fi...

EUVD-2026-5366

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal...

CVE-2026-25161 Alist vulnerable to Path Traversal in multiple file operation handlers

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal...

UBUNTU-CVE-2025-53112

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.1...

CVE-2025-53112 GLPI's incomprehensive permission checks can lead to data removal from allowed users

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.1...

PT-2025-31388 · Glpi +1 · Glpi +1

Name of the Vulnerable Software and Affected Versions: GLPI versions 9.1.0 through 10.0.18 Description: GLPI is an Asset and IT Management Software package providing ITIL Service Desk features, licenses tracking, and software auditing. A lack of permission checks in affected versions can result i...

CVE-2025-27538

Summary: CVE-2025-27538 affects Mattermost Server versions 10.5.x (≤ 10.5.1) and 9.11.x (≤ 9.11.9). The issue is that MFA checks are not enforced in PUT /api/v4/users/user-id/mfa when the requesting user differs from the target user, enabling users with the edit_other_users permission to activate...

CVE-2023-39973

Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns...

CVE-2023-39973

Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns...

CVE-2023-39973 Extension - acymailing.com - Improper Access Control in AcyMailing Enterprise component for Joomla 6.7.0-8.6.3

Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns...

CVE-2023-1071

An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic...

Design/Logic Flaw

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions...

CVE-2021-36400

In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions...

CVE-2023-22737 wire-server vulnerable to unauthorized removal of Bots from Conversations

wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular...

NFTFloorOracle price feeders can be removed by anyone

Lines of code Vulnerability details Impact The nfts price feeders in the NFTFloorOracle contract should be added or removed only by the admin but because the removeFeeder function is missing the onlyRoleDEFAULTADMINROLE modifier any user can remove a feeder, this could impact the whole protocol i...

CVE-2022-35412

Digital Guardian Agent 7.7.4.0042 contains an information-disclosure risk: an administrator (who normally cannot uninstall the product) can disable certain agent features and exfiltrate files to an external USB device. This CVE (CVE-2022-35412) is a local-attack scenario with Privileges Required:...

GHSA-9695-W6H2-JPV9 Keycloak users may be able to remove MFA from other users' devices

A community-only flaw was found where a malicious user can register himself and then uses the "remove devices" form to post different credential ids with the hope of removing MFA devices for other users...

GHSA-3H69-4FRW-G2JM Magento 2 Community Unrestricted File Upload

A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal o...

WordPress Link Library plugin arbitrary link deletion vulnerability

WordPress plugin is a WordPress application plugin. WordPress Link Library plugin versions prior to 7.2.8 have an arbitrary link removal vulnerability, which stems from unauthorized removal of links, and can be exploited by attackers to remove arbitrary links via carefully crafted requests...

Design/Logic Flaw

In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible...