Role Delegation - Moderately critical - Access bypass - SA-CONTRIB-2026-002

This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the "administer permissions" permission. The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. A user...

PT-2026-2979

Name of the Vulnerable Software and Affected Versions Drupal Role Delegation versions 1.3.0 through 1.4.9 Description A privilege escalation issue exists in the Role Delegation module. The module allows site administrators to grant specific roles the authority to assign selected roles to users,...

a4t-sale-discount (=5.0.2), kalenis-lims (>=4.8.0 <=5.0.0) +260 more potentially affected by CVE-2025-66422 via trytond (>=4.0.20 <=5.8.16)

trytond PYPI version =4.0.20, =4.8.0, =5.4.0, =5.2.0, =5.2.0, =5.2.0, =5.2.0, =5.2.2, =5.2.0, =5.2.0, =5.2.0, =5.2.2 - m9s-account-invoice-report-filestore =5.2.0 and more Source cves: CVE-2025-66422 Source advisory: OSV:GHSA-JQFC-9Q34-PRHG...

EUVD-2009-0666

Malware in sbrugna...

CVE-2023-35150

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code executio...

CVE-2023-22903

api/views/user.py in LibrePhotos before e19e539 has incorrect access control...

CVE-2019-8289

Vulnerability in Online Store v1.0, stored XSS in admin/userview.php adidasmemberemail variable...

CVE-2024-44262

This issue was addressed with improved redaction of sensitive information. This issue is fixed in visionOS 2.1. A user may be able to view sensitive user information...

CVE-2024-4226

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed...

CVE-2024-4226

It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed...

CVE-2023-27889

Cross-site request forgery CSRF vulnerability in LIQUID SPEECH BALLOON versions prior to 1.2 allows a remote unauthenticated attacker to hijack the authentication of a user and to perform unintended operations by having a user view a malicious page...

PT-2023-18766 · Unknown · Librephotos

Name of the Vulnerable Software and Affected Versions: LibrePhotos versions prior to e19e539 Description: The issue is related to incorrect access control in the api/views/user.py file. This could potentially allow unauthorized access to certain features or data. Recommendations: For versions pri...

Information Disclosure

moodle is vulnerable to information disclosure. The vulnerability exists due to the $hiddenfields not properly set in user/profile.php and in user/view.php allowing the description user field to be seen even when it is set to hidden...

CVE-2022-1459 Non-Privilege User Can View Patient’s Disclosures in openemr/openemr

Non-Privilege User Can View Patient’s Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1...

CVE-2022-23988

The WS Form LITE and Pro WordPress plugins before 1.8.176 do not sanitise and escape submitted form data, allowing unauthenticated attacker to submit XSS payloads which will get executed when a privileged user will view the related submission...

UBUNTU-CVE-2022-0334

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. Insufficient capability checks could lead to users accessing their grade report for courses where they did not have the required gradereport/user:view capability...

Stylish Cost Calculator < 7.04 - Subscriber+ Unauthorised AJAX Calls to Stored XSS

The plugin does not have any authorisation and CSRF checks on some of its AJAX actions available to authenticated users, which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users d...

Cross site scripting

An issue was discovered in Navigate CMS 2.9 r1433. There is a stored XSS vulnerability that is executed on the page to view users, and on the page to edit users. This is present in both the User field and the E-Mail field. On the Edit user page, the XSS is only triggered via the E-Mail field;...

CVE-2019-8289

Vulnerability in Online Store v1.0, stored XSS in admin/userview.php adidasmemberemail variable...

CVE-2019-8288

Vulnerability in Online Store v1.0, Stored XSS in userview.php where adidasmemberuser variable is not sanitized...