Lucene search
+L

11 matches found

Cvelist
Cvelist
added 3 hours ago9 views

CVE-2026-48010 Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...

6.5CVSS0.00034EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/04 7:28 p.m.8 views

Improper Privilege Management

Overview shopware/platform is a Shopware e-commerce core. Affected versions of this package are vulnerable to Improper Privilege Management via the upsertUser function. An attacker can gain unauthorized administrative privileges by creating or updating user accounts with elevated permissions...

8.5CVSS5.8AI score0.00034EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/04 7:28 p.m.6 views

Improper Privilege Management

Overview shopware/core is a Shopware platform is the core for all Shopware ecommerce products. Affected versions of this package are vulnerable to Improper Privilege Management via the upsertUser function. An attacker can gain unauthorized administrative privileges by creating or updating user...

8.5CVSS5.8AI score0.00034EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.7 views

CVE-2026-23480

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...

8.8CVSS5.8AI score0.00343EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/23 8:39 p.m.2 views

CVE-2026-23480

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...

5.3CVSS5.8AI score0.00343EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/03/23 8:39 p.m.21 views

CVE-2026-23480 Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...

5.3CVSS0.00343EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/23 8:39 p.m.3 views

CVE-2026-23480 Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...

5.3CVSS5.8AI score0.00343EPSS
Exploits0References3
CVE
CVE
added 2026/03/23 8:39 p.m.13 views

CVE-2026-23480

Blinko (pre-1.8.4) contains a privilege-escalation flaw in the upsertUser endpoint. Three issues are cited: missing superAdminAuthMiddleware allows any authenticated user to call the endpoint; originalPassword is optional, bypassing password verification if omitted; and no check for input.id === ...

8.8CVSS5.8AI score0.00343EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/03/23 8:39 p.m.7 views

EUVD-2026-14529

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...

5.3CVSS5.8AI score0.00343EPSS
Exploits0References3
OSV
OSV
added 2026/03/23 8:39 p.m.8 views

CVE-2026-23480 Blinko: Low Privilege User Privilege Escalation - upsertUser Endpoint

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...

5.3CVSS5.8AI score0.00343EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/23 12:0 a.m.10 views

PT-2026-27203

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is a privilege escalation vulnerability. The upsertUser endpoint has 3 issues: it is missing superAdminAuthMiddleware, any logged-in user can call it; the originalPassword is an optional parameter and if not provided...

5.3CVSS5.8AI score0.00343EPSS
Exploits0References4
Rows per page
Query Builder