Incorrect Authorization

Overview org.webjars.npm:auth0-js is a Client Side Javascript toolkit for Auth0 API. Affected versions of this package are vulnerable to Incorrect Authorization via token validation. An attacker can gain unauthorized access to user profile information by providing a specifically crafted invalid I...

CVE-2026-1436

Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...

CVE-2026-1436 Improper Access Control (IDOR) vulnerability in Graylog Web Interface

Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...

CVE-2026-1436

Graylog API vulnerability CVE-2026-1436 affects Graylog API version 2.2.3. An authenticated user can access other users’ profiles by altering the URL /users/, due to missing object‑level authorization checks on that endpoint (http://:12900/users/). Impact includes exposure of names, emails, inter...

CVE-2026-1436 Improper Access Control (IDOR) vulnerability in Graylog Web Interface

Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...

PT-2026-20392

Improper Access Control IDOR in the Graylog API, version 2.2.3, which occurs when modifying the user ID in the URL. An authenticated user can access other user's profiles without proper authorization checks. Exploiting this vulnerability allows valid users of the system to be listed and sensitive...

CVE-2022-27958

Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information...

EUVD-2005-4281

Malware in sbrugna...

EUVD-2022-46830

Malicious code in bioql PyPI...

EUVD-2025-23289

Malicious code in bioql PyPI...

EUVD-2025-11982

Malicious code in bioql PyPI...

EUVD-2022-32444

Malicious code in bioql PyPI...

EUVD-2022-3224

Malicious code in bioql PyPI...

CVE-2024-5639

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'restapichangeprofileimage' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2022-24040

A vulnerability has been identified in Desigo DXR2 All versions V01.21.142.5-22, Desigo PXC3 All versions V01.21.142.4-18, Desigo PXC4 All versions V02.20.142.10-10884, Desigo PXC5 All versions V02.20.142.10-10884. The web application fails to enforce an upper bound to the cost factor of the PBKD...

CVE-2022-45167

An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to access the profile information of all connected users...

Leantime has Missing Authorization Check for Host Parameter

Finding Description Application has functionality for a user to view profile information. It does not have an implemented authorization check for "Host" parameter which allows a user to view profile information of another user by replacing "Host" parameter. Impact By exploiting this vulnerability...

The vulnerability of the E2EE Password Handler component in the server-based corporate messaging platform supporting file and video conferences like Rocket.Chat Mobile allows a hacker to escalate their privileges.

The vulnerability of the E2EE Password Handler component in the server-based corporate messaging system that supports file and video conferences in Rocket.Chat Mobile is related to the use of weak user credentials. Exploiting this vulnerability could allow a malicious actor to gain increased...

PT-2024-20043 · Savignano · S/Notify

Name of the Vulnerable Software and Affected Versions: savignano S/Notify versions prior to 2.0.1 for Bitbucket Description: The issue allows attackers to replace S/MIME certificate or PGP keys for arbitrary users via a crafted link, exploiting a Cross Site Request Forgery vulnerability in the...

CVE-2022-45167

An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to access the profile information of all connected users...