Lucene search
K

147 matches found

Cvelist
Cvelist
added 2 days ago31 views

CVE-2026-13207 Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing

FUXA versions 1.3.1 and prior contain an authentication bypass vulnerability via dot-segment path normalization in the REST API. The API router fails to normalize dot-segment sequences before applying authentication middleware, allowing unauthenticated requests to access protected endpoints by...

8.7CVSS0.00352EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2 days ago5 views

PT-2026-53986

Name of the Vulnerable Software and Affected Versions FUXA versions prior to 1.3.2 Description An authentication bypass exists in the REST API due to improper dot-segment path normalization. The API router does not normalize dot-segment sequences before the authentication middleware is applied...

8.7CVSS5.8AI score0.00352EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 3 days ago5 views

PT-2026-53269

Name of the Vulnerable Software and Affected Versions FrontAccounting versions prior to 2.4.20 Description An issue exists in the Bank Statement report handler that allows authenticated attackers to extract arbitrary database data. By injecting UNION SELECT payloads into the PARAM 0 POST paramete...

7.1CVSS6AI score0.00148EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.9 views

CVE-2026-5780

An insecure direct object reference IDOR vulnerability in MphRx's Minerva V3.6.0, specifically in the endpoint '/minerva/moUser/show/'. If this vulnerability is successfully exploited, an authenticated user can access the data of other registered users simply by modifying the ID. This allows an...

8.5CVSS5.5AI score0.00201EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/14 9:36 p.m.7 views

CVE-2026-45248 Hedera Guardian Authentication Bypass Information Disclosure

Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain...

6.9CVSS5.8AI score0.00356EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/05 10:2 p.m.11 views

Missing Authentication for Critical Function

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the objects/users.json.php process. An attacker can retrieve sensitive user information, including user IDs, displa...

6.9CVSS5.8AI score0.0027EPSS
Exploits0References2
CVE
CVE
added 2026/05/04 12:0 a.m.28 views

CVE-2025-67796

IKUS Rdiffweb is affected by an improper authorization vulnerability (CVE-2025-67796) in versions prior to 2.10.6. The API fails to bind the authenticated subject to the targeted user/tenant, allowing a valid or stolen token to read or modify other users’ data and potentially perform privileged a...

8.1CVSS5.8AI score0.00245EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/02 9:14 a.m.30 views

CVE-2026-7491 Zyosoft|School App - Insecure Direct Object Reference

School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data...

8.6CVSS0.00259EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/30 12:0 a.m.10 views

PT-2026-36200

Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.8.4 Description An issue exists where any user can provide a flow id to read transaction logs and vertex build data belonging to other users. Additionally, this allows for the deletion of persisted...

6.5CVSS5.8AI score0.00201EPSS
Exploits0References6
NVD
NVD
added 2026/04/22 2:17 p.m.6 views

CVE-2026-5750

An insecure direct object reference IDOR vulnerability in the Fullstep V5 registration process allows authenticated users to access data belonging to other registered users through various vulnerable authenticated resources in the application. The vulnerable endpoints result from:...

7.6CVSS0.00207EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/22 12:0 a.m.8 views

Fullstep 安全漏洞

Fullstep is a corporate procurement and supply chain management platform developed by Fullstep Inc. The Fullstep V5 version contains a security vulnerability. This vulnerability stems from insecure direct object references during the registration process, which may allow authenticated users to...

7.6CVSS5.8AI score0.00207EPSS
Exploits0References1
OSV
OSV
added 2026/03/31 8:38 p.m.4 views

CVE-2026-34395 AVideo: Mass User PII Disclosure via Missing Authorization in YPTWallet users.json.php

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/YPTWallet/view/users.json.php endpoint returns all platform users with their personal information and wallet balances to any authenticated user. The endpoint checks User::isLogged but does not check User::isAdmin...

6.5CVSS5.9AI score0.00316EPSS
Exploits1References3
Snyk
Snyk
added 2026/03/26 6:8 p.m.3 views

Authorization Bypass Through User-Controlled Key

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the save.json.php process. An attacker can access and exfiltrate confidential AI-generated metadata and...

5.3CVSS5.9AI score0.00214EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/03/24 10:25 p.m.11 views

Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Summary A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration. Details The vulnerable route is registered as a public endpoint:...

5.3CVSS5.9AI score0.00484EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/06 12:0 a.m.5 views

PT-2026-23647

Name of the Vulnerable Software and Affected Versions Ghostfolio versions prior to 2.244.0 Description Ghostfolio is a wealth management software susceptible to arbitrary SQL command execution. An attacker can bypass symbol validation to execute SQL commands through the getHistorical method...

9.8CVSS6AI score0.00367EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/02/27 7:33 p.m.5 views

CVE-2026-27792

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...

5.4CVSS5.8AI score0.00215EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/01/28 12:0 a.m.5 views

OpenEMR Access Control Vulnerability

OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Prior to OpenEMR 7.0.4, there was an access control...

8.8CVSS5.8AI score0.00333EPSS
Exploits1References2
CVE
CVE
added 2026/01/26 7:58 p.m.31 views

CVE-2025-9615

CVE-2025-9615 affects NetworkManager. A flaw allows non-root users to configure the system network and enables access to files owned by other users, since the NetworkManager daemon runs with root privileges. The result is potential exposure of user-owned files due to misconfigured access to netwo...

3.3CVSS5.8AI score0.00162EPSS
Exploits0References7
NVD
NVD
added 2026/01/13 5:15 p.m.3 views

CVE-2025-65784

Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request...

6.5CVSS0.00364EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/01/12 2:54 p.m.6 views

CVE-2025-41077 Multiple vulnerabilities in Viafirma products

IDOR vulnerability has been found in Viafirma Inbox v4.5.13 that allows any authenticated user without privileges in the application to list all users, access and modify their data. This allows the user's email addresses to be modified and, subsequently, using the password recovery functionality ...

8.6CVSS6.5AI score0.00205EPSS
Exploits0References1
Rows per page
Query Builder