11 matches found
CVE-2026-48010 Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...
Improper Privilege Management
Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Improper Privilege Management via the upsertUser function. An attacker can gain unauthorized administrative privileges by creating or updating user accounts with elevated permissions...
Improper Privilege Management
Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Improper Privilege Management via the upsertUser function. An attacker can gain unauthorized administrative privileges by creating or updating user...
CVE-2026-23480
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...
CVE-2026-23480
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...
CVE-2026-23480 Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...
CVE-2026-23480 Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...
CVE-2026-23480
Blinko (pre-1.8.4) contains a privilege-escalation flaw in the upsertUser endpoint. Three issues are cited: missing superAdminAuthMiddleware allows any authenticated user to call the endpoint; originalPassword is optional, bypassing password verification if omitted; and no check for input.id === ...
EUVD-2026-14529
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...
CVE-2026-23480 Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...
PT-2026-27203
Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...