CVE-2026-33706 Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the updateuserfromusername endpoint. A student status=5 can change their status to Teacher/CourseManager status=1, gaining course creation and management...

Mattermost Security Vulnerabilities

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from a security vulnerability that stems from failing to properly clean up the user object when updating the username, causing the password hash to be included in the response body...

in microweber/microweber

Description There is no input field length in update username where any user can able to add large number of characters like imagine we can add more 5000+ character on to the update name field . Steps to Reproduce Visit the particular URL Vulnerable-link Where there is a functionality to update o...