EUVD-2026-30798

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios...

CVE-2026-44224 Wiki.js: Privilege Escalation via Missing Group Validation in users.update

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without...

CVE-2026-44224

Wiki.js 2.x prior to 2.5.313 is affected by a privilege-escalation in the users.update GraphQL mutation: it accepts an arbitrary groups array and writes it to the database without validating group IDs or enforcing ownership checks. An attacker with manage:users can set groups:[1] on their own acc...

EUVD-2026-29838

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without...

PT-2026-37168

Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 Description Missing authorization in the content management system allows authenticated users to create, replace, or delete user avatars even when they lack the necessary permissions ...

CVE-2020-36969

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standa...

CVE-2020-36969

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standa...

CVE-2020-36969 M/Monit 3.7.4 - Privilege Escalation

M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standa...

CVE-2020-36969

CVE-2020-36969 affects M/Monit 3.7.4. A privilege-escalation flaw allows an authenticated user to modify permissions by tampering with the admin parameter via POST to /api/1/admin/users/update, potentially granting admin rights to a standard user. Public references (e.g., Exploit-DB) indicate a P...

Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access

Due to a path validation flaw using prefix matching instead of canonical path comparison, it was possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of or ability to create a directory with the same prefix as the CWD and the...

PT-2025-14864 · WordPress · Vehica Core

Name of the Vulnerable Software and Affected Versions: Vehica Core plugin for WordPress versions up to and including 1.0.97 Description: The issue arises from the plugin not properly validating user meta fields before updating them in the database. This allows authenticated attackers with...

PT-2025-13008 · Atop +2 · Atop +2

Name of the Vulnerable Software and Affected Versions: atop versions prior to 2.11.0 Description: The issue allows local users to cause a denial of service, such as an assertion failure and application exit, or possibly have unspecified other impact by running certain types of unprivileged...

CVE-2024-25624 iris-web vulnerable to Server Side Template Injection in reports

Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. Due to an improper setup of Jinja2 environment, reports generation in iris-web is prone to a Server Side Template Injection SSTI. Successful exploitation of the vulnerability c...

CVE-2019-11393

An issue was discovered in /admin/users/update in M/Monit before 3.7.3. It allows unprivileged users to escalate their privileges to an administrator by requesting a password change and specifying the admin parameter...

SUSE-SU-2016:1138-1 Security update for yast2-users

yast2-users was updated to fix one security issue. This security issue was fixed: - CVE-2016-1601: Empty passwords fields in /etc/shadow after SLES 12 SP1 autoyast installation bsc974220. This update includes a script that fixes installations that we're affected by this problem. It is run...