PT-2026-49069

Summary A low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose...

pretix 安全漏洞

Pretix is a ticketing system developed by the German company Pretix. There is a security vulnerability in Pretix. This vulnerability stems from an API endpoint that does not verify whether the UUID used for downloading corresponds to the file that should be downloaded and whether it belongs to th...

PT-2026-33036

Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.12 Description Improper validation of user ownership within the Connected Workspaces feature allows a malicious remote server to change the displayed status of local users via the Connected Workspaces...

CVE-2026-34046

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enable...

CVE-2026-27838

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...

EUVD-2000-0365

Malware in sbrugna...

EUVD-2022-48219

Malicious code in bioql PyPI...

CVE-2023-1129

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

Ensure That a User Has Its Own Home Directory

Each user must have its own home directory for storing user-related data. The owner of the home directory must be the user. If the owner of the home directory is not the user, the user cannot read or write the home directory, or the user data stored in the home directory can be read or tampered...

CVE-2016-20015

In the ebuild package through smokeping-2.7.3-r1 for SmokePing on Gentoo, the initscript allows the smokeping user to gain ownership of any file, allowing for the smokeping user to gain root privileges. There is a race condition involving /var/lib/smokeping and chown...

Unspecified vulnerability in cPanel (CNVD-2019-26338)

cPanel is a set of Web-based automated colocation platform from the US-based cPanel. The platform is primarily used to automate the management of websites and servers. A security vulnerability exists in versions of cPanel prior to 66.0.2, which stems from a program not properly setting up user an...

Design/Logic Flaw

An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gvfsbackendadmin.c mishandles a file's user and group ownership during move and copy with GFILECOPYALLMETADATA operations from admin:// to file:// URIs, because root privileges are unavailable...

MGASA-2015-0116 Updated setup package fixes security vulnerability

An issue has been identified in Mageia 4's setup package where the /etc/shadow and /etc/gshadow files containing password hashes were created with incorrect permissions, making them world-readable mga14516. This update fixes this issue by enforcing that those files are owned by the root user and...

Code injection

ChironFS before 1.0 RC7 sets user/group ownership to the mounter account instead of the creator account when files are created, which allows local users to gain privileges...