27 matches found
CVE-2026-40172
authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/pk/ API allows a caller with changeuser on a target user to assign arbitrary groups through UserSerializer, including groups with issuperuser=True, without...
CVE-2026-34087 Users API leaks whether privileged users have their user groups disabled for lack of 2FA
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from before 1.43.7, 1.44.4, 1.45.2...
CVE-2026-8127
A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the publi...
CVE-2026-8127 eladmin Users API Endpoint UserController.java checkLevel access control
A vulnerability has been found in eladmin up to 2.7. Impacted is the function checkLevel of the file /rest/UserController.java of the component Users API Endpoint. Such manipulation leads to improper access controls. The attack can be executed remotely. The exploit has been disclosed to the publi...
EUVD-2026-24199
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...
CVE-2026-5652 Authorization Bypass Through User-Controlled Key in Crafty Controller
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permissions validation...
PT-2026-32939
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/id endpoint allows any authenticated user with ROLE STUDENT to escalate their privileges to ROLE ADMIN by modifying the roles field...
CVE-2026-25045
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR Insecure Direct Object Reference due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who...
CVE-2026-25045
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR Insecure Direct Object Reference due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who...
EUVD-2026-10354
Budibase is a low code platform for creating internal tools, workflows, and admin panels. This issue is a combination of Vertical Privilege Escalation and IDOR Insecure Direct Object Reference due to missing server-side RBAC checks in the /api/global/users endpoints. A Creator-level user, who...
Splunk Enterprise 9.2.0 < 9.2.12, 9.3.0 < 9.3.9, 9.4.0 < 9.4.8, 10.0.0 < 10.0.2 (SVD-2026-0204)
The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2026-0204 advisory. - In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below...
EUVD-2022-34069
Malicious code in bioql PyPI...
EUVD-2025-32281
The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated...
CVE-2025-5315
An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed...
CVE-2024-24830 OpenObserve Privilege Escalation Vulnerability in Users API
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/orgid/users" endpoint. This vulnerability allows any authenticated regular user 'member' to add new users with...
CVE-2024-25106 OpenObserve Unauthorized Access Vulnerability in Users API
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the "/api/orgid/users/emailid" endpoint. This vulnerability allows any authenticated user within an organization to...
CVE-2024-25106 OpenObserve Unauthorized Access Vulnerability in Users API
OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the "/api/orgid/users/emailid" endpoint. This vulnerability allows any authenticated user within an organization to...
PT-2023-15390 · Filerun · Filerun
Name of the Vulnerable Software and Affected Versions: FileRun version 20220519 Description: The issue allows SQL Injection via the dir parameter in a "/?module=users§ion=cpanel&page=list" API endpoint. This could potentially lead to unauthorized access to sensitive data. Recommendations: For...
SQL Injection
org.opendaylight.aaa:aaa-idm-store-h2 is vulnerable to SQL Injection attacks. A specifically crafted attack statement through the deleteUser function in UserStore.java allows a malicious user to inject and execute arbitrary SQL queries on the target system, when the /auth/v1/users/ API interface ...
CVE-2021-45721
JFrog Artifactory prior to version 7.29.8 and 6.23.38 is vulnerable to Reflected Cross-Site Scripting XSS through one of the XHR parameters in Users REST API endpoint. This issue affects: JFrog JFrog Artifactory JFrog Artifactory versions before 7.36.1 versions prior to 7.29.8; JFrog Artifactory...