Lucene search
K

260 matches found

Tenable Nessus
Tenable Nessus
added 6 days ago5 views

Devolutions Server 2026.2.4 <= 2026.2.7 Credential Exposure (DEVO-2026-0020)

The version of Devolutions Server installed on the remote host is 2026.2.4 through 2026.2.7. It is, therefore, affected by a vulnerability: - Improper input validation in the PAM AD discovery endpoints allows an authenticated user with the UserGroupsView permission to coerce server-side...

2.7CVSS6AI score0.00216EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 1:28 p.m.17 views

CVE-2026-5136

Summary : CVE-2026-5136 affects Foreman. A flaw in the Usergroup model allows an authenticated user with usergroup management permissions to attach arbitrary roles (including administrator) to a user group and then add themselves as a member, enabling full privilege escalation to administrator-le...

8.8CVSS5.8AI score0.00302EPSS
Exploits0References6Affected Software1
NVD
NVD
added 2026/06/25 2:16 p.m.8 views

CVE-2026-12755

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2...

2.7CVSS0.00216EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 1:12 p.m.4 views

EUVD-2026-39386

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2...

2.7CVSS5.8AI score0.00216EPSS
Exploits0References1
CVE
CVE
added 2026/06/08 6:26 p.m.27 views

CVE-2026-10787

The CVE-2026-10787 entry concerns Devolutions Server (versions 2026.2.4.0 and 2026.1.20.0 and earlier) where missing authorization in the deleted user groups API allows an authenticated, low-privileged user to enumerate metadata of deleted user groups via a crafted API request. The issue targets ...

4.3CVSS5.5AI score0.00155EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/08 6:26 p.m.8 views

CVE-2026-10787

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server 2026.1.20.0 and earlier...

5.5AI score0.00155EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/08 12:0 a.m.13 views

PT-2026-47431

Name of the Vulnerable Software and Affected Versions Devolutions Server version 2026.2.4.0 Devolutions Server versions prior to 2026.1.20.0 Description Missing authorization in the deleted user groups API allows an authenticated low-privileged user to enumerate metadata of deleted user groups by...

4.3CVSS5.2AI score0.00155EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/06/08 12:0 a.m.7 views

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server such as 2026.2.4.0, 2026.1.20.0, and earlier versions have security vulnerabilities. These...

4.3CVSS5.4AI score0.00155EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:36 p.m.11 views

CVE-2026-41128

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS5.5AI score0.00248EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/24 8:47 p.m.11 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key because the create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker...

6.9CVSS5.9AI score0.00352EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/19 9:19 a.m.8 views

CVE-2026-46721

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...

6.9CVSS5.9AI score0.00352EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/05/19 12:0 a.m.10 views

TYPO3 Extension Frontend User Registration 安全漏洞

TYPO3 Extension Frontend User Registration is an open-source extension for TYPO3 that handles user registration at the frontend level. There is a security vulnerability in TYPO3 Extension Frontend User Registration. This vulnerability stems from the lack of restrictions on the submission of user...

6.9CVSS5.8AI score0.00352EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.29 views

PT-2026-41861

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to...

6.9CVSS5.9AI score0.00352EPSS
Exploits0References2
Microsoft KB
Microsoft KB
added 2026/05/12 2:0 p.m.11 views

Update 25.18 for Microsoft Dynamics 365 Business Central 2024 Release Wave 2 (Application Build 25.18.48229, Platform Build 25.2.48119)

None None...

7.8CVSS5.8AI score0.00272EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.28 views

PT-2026-38285

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0 through 4.17.11 Craft CMS versions 5.0.0 through 5.9.17 Description The GraphQL Address element resolver in src/gql/resolvers/elements/Address.php fails to perform schema scope filtering on top-level queries. While oth...

7.1CVSS5.8AI score0.00338EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/04/21 11:32 p.m.5 views

CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS5.9AI score0.00248EPSS
Exploits0References2
CVE
CVE
added 2026/04/21 11:32 p.m.16 views

CVE-2026-41128

Craft CMS (versions 5.6.0–5.9.14) contains an authorization flaw in the actionSavePermissions() endpoint. A user with only viewUsers permission can remove arbitrary users from all groups because _saveUserGroups() lacks a corresponding removal authorization check for an empty groups payload. This ...

5.3CVSS5.9AI score0.00248EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.4 views

PT-2026-34219

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.6.0 through 5.9.14 Description The 'actionSavePermissions' endpoint allows a user possessing only viewUsers permission to remove arbitrary users from all user groups. This occurs because the saveUserGroups function enforce...

5.3CVSS5.4AI score0.00248EPSS
Exploits0References6
OSV
OSV
added 2026/04/14 11:34 p.m.4 views

GHSA-JQ2F-59PJ-P3M3 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Summary The actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty groups...

5.3CVSS6AI score0.00248EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/09 4:14 p.m.3 views

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

2.3CVSS6AI score0.00208EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder