CVE-2026-45332

Affected software: Automad (flat-file CMS/template engine). Vulnerability: Broken Access Control allowing an unauthenticated attacker to retrieve bcrypt password hashes of all administrator accounts (and, in 2.0.0-beta.27, TOTP secrets) via the publicly accessible /_api/user-collection/create-fir...

CVE-2026-41902

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

CVE-2026-41902

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

EUVD-2026-28405

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

CVE-2026-41902

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/hash endpoint accepts a 60-character random invitehash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until...

CVE-2026-41902

CVE-2026-41902 affects FreeScout (Laravel-based help desk). Before v1.8.217, the endpoint /user-setup/{hash} accepts a 60-character invite_hash to set a new user’s password and does not expire the hash, leaving it valid until used. If the invite link leaks (e.g., forwarded emails, logs, or referr...

PT-2026-38547

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.217 Description The '/user-setup/hash' endpoint accepts a 60-character random invite hash to set a new user's password but does not perform an expiration check, allowing the hash to remain valid indefinitely unt...

CVE-2025-63211

Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint...

CVE-2025-63211

Stored cross-site scripting vulnerability in bridgetech VBC Server & Element Manager, firmware versions 6.5.0-9 thru 6.5.0-10, allows attackers to execute arbitrary code via the addName parameter to the /vbc/core/userSetupDoc/userSetupDoc endpoint...

CVE-2025-63211

CVE-2025-63211 affects Bridgetech VBC Server & Element Manager. A stored cross-site scripting flaw exists in firmware versions 6.5.0-9 through 6.5.0-10, exploitable via the addName parameter on the /vbc/core/userSetupDoc/userSetupDoc endpoint, potentially enabling arbitrary code execution. Connec...

EUVD-2025-23951

Malicious code in bioql PyPI...

Privilege Escalation

github.com/operator-framework/operator-sdk is vulnerable to Privilege Escalation. The vulnerability is due to the usersetup script setting /etc/passwd to group-writable, allowing attackers to modify it and gain root privileges within the container...

CVE-2025-7195

Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, usersetup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used...

PT-2025-32307

Name of the Vulnerable Software and Affected Versions Operator-SDK versions prior to 0.15.2 Description Early versions of Operator-SDK included an insecure method for operator containers to run in environments utilizing a random UID. A script, user setup, modified the permissions of the /etc/pass...

How to Configure StoreFront and Smart Card Authentication for Internal Users using Stores

This article describes how to configure Citrix StoreFront 2.0 and Smart Card authentication using Gemalto .NET cards against stores for internal users. Requirements The following components are needed to allow users connectthrough Smart Card to StoreFront: Citrix StoreFront 2.x Citrix Receiver fo...

Passbolt API Stored XSS on first/last name during setup

Description An administrator can craft a user with a malicious first name and last name, using a payload such as '; ? The user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS. Impact of issue An administrator could us...

Ubuntu: Security Advisory (USN-316-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2021-27851

A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. The attack consists in having an unprivileged user spawn a build process, for instance with guix build, that makes its build...

vBulletin Security Forum Setup - Hardening & Configuration

Document Title: =============== vBulletin Security Forum Setup - Hardening & Configuration References: =========== https://www.vulnerability-lab.com/getcontent.php?id=2119 Download: https://www.vulnerability-lab.com/resources/documents/2119.txt Release Date: ============= 2018-02-20 Vulnerability...

CVE-2013-3069

Multiple cross-site scripting XSS vulnerabilities in NETGEAR WNDR4700 with firmware 1.0.0.34 allow remote authenticated users to inject arbitrary web script or HTML via the 1 UserName or 2 Password to the NAS User Setup page, 3 deviceName to USBadvanced.htm, or 4 Network Key to the Wireless Setup...