Lucene search
K

232 matches found

CVE
CVE
added 6 days ago12 views

CVE-2026-31309

CVE-2026-31309 affects Mysterium Node prior to v1.36.0. The vulnerability is an improper authorization flaw in the directory/endpoint “/tequilapi/config/user” that allows unauthenticated attackers to arbitrarily overwrite the node’s configuration via a crafted POST request, enabling a full node t...

7.5CVSS6AI score0.00367EPSS
Exploits1References7
OSV
OSV
added 2026/06/26 9:23 p.m.3 views

GHSA-985R-Q3QP-299H phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards

Advisory / Disclosure phpMyFAQ 4.1.3 — incomplete fix for the admin-API IDOR/privilege-escalation class Target: thorsten/phpMyFAQ composer: thorsten/phpmyfaq, phpmyfaq/phpmyfaq Affected: "Only SuperAdmins may change other users' attributes. Self-service is always allowed." and "a non-SuperAdmin...

8.1CVSS6AI score0.00251EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 11:53 a.m.7 views

EUVD-2026-38737

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...

9.3CVSS6AI score0.00244EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.5 views

CVE-2026-56223

Capgo before 12.128.2 contains a cross-domain SSO account takeover vulnerability in the provision-user endpoint that allows attackers to merge arbitrary victim accounts based on email match without validating SSO provider domain authorization. An attacker with enterprise org admin access and a...

9.3CVSS6AI score0.00244EPSS
Exploits0References3
OSV
OSV
added 2026/06/17 6:9 p.m.6 views

GHSA-WRR5-99H5-GQ57 Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes

Summary Many authenticated self routes under /api/v1/user/... do not enforce the public-only token restriction. As a result, a token or OAuth grant marked public-only, but otherwise carrying the route-required read/write scope category, can access or modify private account resources through self...

8.1CVSS5.5AI score
Exploits0References2
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.13 views

bookcars 安全漏洞

Bookcars is a car rental management platform developed by Akram El Assas. Version 8.3 of Bookcars contains a security vulnerability. This vulnerability stems from the/api/create-user component, which has an unlimited file renaming vulnerability. This could allow authenticated attackers to use...

8.8CVSS6.2AI score0.00998EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:50 p.m.12 views

CVE-2026-7091

A flaw has been found in code-projects Invoice System in Laravel 1.0. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. Remote exploitation of the attack is possible. The exploit has been published and may...

6.5CVSS6.1AI score0.00201EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.12 views

CVE-2026-35476

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

7.2CVSS5.5AI score0.00145EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/02 12:0 a.m.9 views

NamelessMC 安全漏洞

NamelessMC is a free, easy-to-use, and powerful website software developed by the NamelessMC team. It’s suitable for your Minecraft server and comes with numerous features. Version 2.2.4 of NamelessMC has a security vulnerability. This vulnerability stems from the lack of proper cleaning or outpu...

4.3CVSS5AI score0.00185EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/25 12:15 a.m.40 views

CVE-2026-9409 Sushmi-pal Invoice-System User Management user improper authorization

A flaw has been found in Sushmi-pal Invoice-System up to a0a3faa16dee2621b231ae227333f5761607283b. This affects an unknown part of the file /user of the component User Management Handler. This manipulation of the argument role causes improper authorization. It is possible to initiate the attack...

5.3CVSS0.00198EPSS
Exploits0References4
OSV
OSV
added 2026/05/20 3:44 p.m.14 views

GHSA-59FH-9F3P-7M39 Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification

Summary A Mass Assignment vulnerability in the PUT /api/v1/user endpoint allows authenticated users to directly modify restricted user fields, including the credential password hash, bypassing the intended password change workflow. Because the endpoint forwards the entire request body to the...

6CVSS5.8AI score0.00251EPSS
Exploits0References2
NVD
NVD
added 2026/05/18 11:16 p.m.18 views

CVE-2026-30950

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the sessionid of another user's session,...

7.1CVSS0.00384EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/18 10:28 p.m.8 views

CVE-2026-30950 AutoGPT has Authenticated Session Hijacking via IDOR

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the sessionid of another user's session,...

7.1CVSS5.9AI score0.00384EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/05/18 10:28 p.m.11 views

CVE-2026-30950

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the sessionid of another user's session,...

7.1CVSS5.9AI score0.00384EPSS
Exploits1References3Affected Software1
CNNVD
CNNVD
added 2026/05/18 12:0 a.m.10 views

AutoGPT 安全漏洞

AutoGPT is an open-source tool developed by AutoGPT. It aims to make AI accessible and usable for everyone. Versions 0.6.36 to 0.6.50 of AutoGPT contain security vulnerabilities. These vulnerabilities stem from the lack of verification of session ownership at the PATCH...

7.1CVSS5.8AI score0.00384EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/15 6:36 p.m.13 views

CVE-2021-47962

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edituser endpoint, which execute in th...

6.4CVSS5.7AI score0.00243EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/05/15 6:36 p.m.10 views

EUVD-2021-34815

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edituser endpoint, which execute in th...

6.4CVSS5.7AI score0.00243EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.11 views

PT-2026-41341

Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code. Attackers can inject script payloads into user profile fields at the edit user endpoint, which execute in t...

6.4CVSS5.7AI score0.00243EPSS
Exploits0References5
CVE
CVE
added 2026/05/13 2:22 p.m.23 views

CVE-2020-37217

CVE-2020-37217 affects Easy2Pilot 7 and describes a Cross-Site Request Forgery vulnerability targeting admin.php?action=add_user. An attacker can trick an authenticated administrator into submitting a crafted POST to create new administrative accounts without consent. The described impact include...

5.1CVSS5.7AI score0.0014EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/08 2:0 a.m.9 views

CVE-2026-8127

A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the publi...

6.5CVSS6.1AI score0.00201EPSS
Exploits0References4
Rows per page
Query Builder