Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2019-12837

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-31 Dec, 2019 | 16:53
Updated At-04 Aug, 2024 | 23:32
Rejected At-
Credits

The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attackers to get personal information of all registered students via several API endpoints.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:31 Dec, 2019 | 16:53
Updated At:04 Aug, 2024 | 23:32
Rejected At:
▼CVE Numbering Authority (CNA)

The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attackers to get personal information of all registered students via several API endpoints.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://vulnz.avm99963.com/T15
x_refsource_MISC
Hyperlink: https://vulnz.avm99963.com/T15
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://vulnz.avm99963.com/T15
x_refsource_MISC
x_transferred
Hyperlink: https://vulnz.avm99963.com/T15
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:31 Dec, 2019 | 17:15
Updated At:21 Jul, 2021 | 11:39

The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attackers to get personal information of all registered students via several API endpoints.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary2.04.0MEDIUM
AV:N/AC:L/Au:S/C:P/I:N/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Primary
Version: 2.0
Base score: 4.0
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:S/C:P/I:N/A:N
CPE Matches

gencat
gencat
>>portal_d\'acces_a_la_universitat>>1.7.5
cpe:2.3:a:gencat:portal_d\'acces_a_la_universitat:1.7.5:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-706Primarynvd@nist.gov
CWE-863Primarynvd@nist.gov
CWE ID: CWE-706
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-863
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://vulnz.avm99963.com/T15cve@mitre.org
Exploit
Third Party Advisory
Hyperlink: https://vulnz.avm99963.com/T15
Source: cve@mitre.org
Resource:
Exploit
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

303Records found

CVE-2025-30741
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 21.00%
||
7 Day CHG~0.00%
Published-25 Mar, 2025 | 00:00
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance.

Action-Not Available
Vendor-Pixelfed
Product-Pixelfed
CWE ID-CWE-863
Incorrect Authorization
CVE-2022-45353
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.50% / 39.31%
||
7 Day CHG~0.00%
Published-14 Jan, 2023 | 10:53
Updated-28 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Betheme theme <= 26.6.1 is vulnerable to Broken Access Control

Broken Access Control in Betheme theme <= 26.6.1 on WordPress.

Action-Not Available
Vendor-Muffin Group
Product-bethemeBetheme
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-5796
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.15%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 04:34
Updated-26 Jun, 2026 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the Package Registry disabled due to incorrect authorization checks in the group packages feature.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-1010084
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
ShareView Details
Matching Score-4
Assigner-7556d962-6fb7-411e-85fa-6cd62f095ba8
CVSS Score-6.5||MEDIUM
EPSS-1.13% / 62.82%
||
7 Day CHG~0.00%
Published-17 Jul, 2019 | 13:05
Updated-05 Aug, 2024 | 03:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: Incorrect Access Control. The impact is: Potential for unathorised access to data. The component is: Incorrect calls to _ensure_auth() wrapper result in authentication-checking not being applied to al routes.

Action-Not Available
Vendor-dancer\Dancer::Plugin::SimpleCRUD
Product-\Dancer::Plugin::SimpleCRUD
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-27571
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.17%
||
7 Day CHG+0.02%
Published-16 Apr, 2025 | 07:45
Updated-01 Oct, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Channel metadata visible in archived channels despite configuration setting

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to check the "Allow Users to View Archived Channels" configuration when fetching channel metadata of a post from archived channels, which allows authenticated users to access such information when a channel is archived.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-2527
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.15%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 15:27
Updated-22 Aug, 2025 | 20:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper access control to group information

Mattermost versions 10.5.x <= 10.5.2, 9.11.x <= 9.11.11 failed to properly verify a user's permissions when accessing groups, which allows an attacker to view group information via an API request.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-28661
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.79% / 52.03%
||
7 Day CHG~0.00%
Published-07 Oct, 2021 | 14:06
Updated-03 Aug, 2024 | 21:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Default SilverStripe GraphQL Server (aka silverstripe/graphql) 3.x through 3.4.1 permission checker not inherited by query subclass.

Action-Not Available
Vendor-n/aSilverstripe
Product-silverstripen/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-2564
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 18.62%
||
7 Day CHG+0.02%
Published-16 Apr, 2025 | 16:12
Updated-29 Sep, 2025 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthorized View Access to Archived Channel Member Info

Mattermost versions 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-55472
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.62%
||
7 Day CHG~0.00%
Published-10 Jul, 2026 | 18:36
Updated-13 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Snipe-IT: API Location Creation Bypasses FMCS Parent-Child Company Boundary Validation

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, when Full Multiple Companies Support and scope_locations_fmcs are enabled, the API location creation endpoint detects an invalid parent-child company mismatch but does not return immediately, allowing creation of a child location under a parent location from a different company. This issue is fixed in version 8.6.2.

Action-Not Available
Vendor-snipeitappgrokability
Product-snipe-itsnipe-it
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-55462
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.55%
||
7 Day CHG+0.01%
Published-10 Jul, 2026 | 19:35
Updated-14 Jul, 2026 | 12:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Snipe-IT: Authorization bypass on print inventory page

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, UsersController::show() and printInventory() authorize only user viewing before loading and rendering assigned license, accessory, and consumable relationships, allowing an authenticated user with only users.view to see inventory and cost/order metadata from modules that direct permissions would otherwise deny. This issue is fixed in version 8.6.2.

Action-Not Available
Vendor-snipeitappgrokability
Product-snipe-itsnipe-it
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24872
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 16.29%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 00:37
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization check in SAP ABAP Platform (ABAP Build Framework)

The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This has a limited impact on the confidentiality of the application with no effect on the integrity and availability of the application.

Action-Not Available
Vendor-SAP SE
Product-SAP ABAP Platform (ABAP Build Framework)
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24421
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 41.12%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 17:37
Updated-17 Apr, 2025 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce | Incorrect Authorization (CWE-863)

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to read select data. Exploitation of this issue does not require user interaction

Action-Not Available
Vendor-Adobe Inc.
Product-commercecommerce_b2bmagentoAdobe Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24526
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 19.09%
||
7 Day CHG~0.00%
Published-24 Feb, 2025 | 07:23
Updated-01 Oct, 2025 | 18:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Channel export permitted on archived channel when viewing archived channels is disabled

Mattermost versions 10.1.x <= 10.1.3, 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to restrict channel export of archived channels when the "Allow users to view archived channels" is disabled which allows a user to export channel contents when they shouldn't have access to it

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermost_serverMattermost
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-5377
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.30%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 16:04
Updated-23 Apr, 2026 | 20:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-25026
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 16.21%
||
7 Day CHG~0.00%
Published-28 May, 2025 | 01:11
Updated-28 Aug, 2025 | 14:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Guardium information disclosure

IBM Security Guardium 12.0 could allow an authenticated user to obtain sensitive information due to an incorrect authentication check.

Action-Not Available
Vendor-IBM Corporation
Product-Security Guardium
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24397
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 20.79%
||
7 Day CHG~0.00%
Published-22 Jan, 2025 | 17:02
Updated-03 Oct, 2025 | 00:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credential IDs of GitLab API token and Secret text credentials stored in Jenkins.

Action-Not Available
Vendor-Jenkins
Product-gitlabJenkins GitLab Plugin
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24869
Matching Score-4
Assigner-SAP SE
ShareView Details
Matching Score-4
Assigner-SAP SE
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 15.77%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 00:36
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Information Disclosure vulnerability in SAP NetWeaver Application Server Java

SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability.

Action-Not Available
Vendor-SAP SE
Product-SAP NetWeaver Application Server Java
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-24436
Matching Score-4
Assigner-Adobe Systems Incorporated
ShareView Details
Matching Score-4
Assigner-Adobe Systems Incorporated
CVSS Score-4.3||MEDIUM
EPSS-0.53% / 41.12%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 17:37
Updated-16 Apr, 2025 | 14:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Adobe Commerce | Incorrect Authorization (CWE-863)

Adobe Commerce versions 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11, 2.4.8-beta1 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. A low-privileged attacker could exploit this vulnerability to view select information. Exploitation of this issue does not require user interaction.

Action-Not Available
Vendor-Adobe Inc.
Product-magentocommercecommerce_b2bAdobe Commerce
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-52795
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.42%
||
7 Day CHG~0.00%
Published-24 Jun, 2026 | 20:06
Updated-25 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity

Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead() (returns 404 when the user CAN read) instead of if !repoCtx.ViewerCanRead() (return 404 when the user CANNOT read). Once watching, the attacker's dashboard activity feed shows commit messages, branch names, issue titles, and PR details from the private repository. If email notifications are enabled, the attacker also receives emails containing issue and comment content.

Action-Not Available
Vendor-gogs
Product-gogs
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-49288
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.75%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 18:11
Updated-22 Jun, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.

Action-Not Available
Vendor-statamic
Product-cms
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-23419
Matching Score-4
Assigner-F5, Inc.
ShareView Details
Matching Score-4
Assigner-F5, Inc.
CVSS Score-5.3||MEDIUM
EPSS-2.65% / 83.91%
||
7 Day CHG~0.00%
Published-05 Feb, 2025 | 17:31
Updated-27 Jan, 2026 | 13:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TLS Session Resumption Vulnerability

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Action-Not Available
Vendor-Debian GNU/LinuxF5, Inc.
Product-nginx_plusnginxdebian_linuxNGINX PlusNGINX Open Source
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-49369
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.3||MEDIUM
EPSS-0.20% / 9.64%
||
7 Day CHG~0.00%
Published-29 May, 2026 | 18:15
Updated-01 Jun, 2026 | 12:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages

Action-Not Available
Vendor-JetBrains s.r.o.
Product-youtrackYouTrack
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-4242
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.43% / 35.04%
||
7 Day CHG~0.00%
Published-09 Aug, 2023 | 03:36
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FULL - Customer <= 2.2.3 - Authenticated(Subscriber+) Information Disclosure via Health Check

The FULL - Customer plugin for WordPress is vulnerable to Information Disclosure via the /health REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to obtain sensitive information about the site configuration as disclosed by the WordPress health check.

Action-Not Available
Vendor-fullfullservices
Product-full_-_customerFULL – Cliente
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-47236
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 8.03%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 18:11
Updated-15 Jun, 2026 | 21:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2.

Action-Not Available
Vendor-solidtime-io
Product-solidtime
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-46635
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.30% / 21.59%
||
7 Day CHG~0.00%
Published-14 Jul, 2026 | 21:12
Updated-15 Jul, 2026 | 20:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)

Twig is a template language for PHP. Prior to 3.26.0, the column filter passes object arrays to PHP array_column(), which reads public and magic properties without reaching CoreExtension::getAttribute() or SandboxExtension::checkPropertyAllowed(), allowing an untrusted template author with column in allowedFilters to read properties that are not in the sandbox allowlist. This issue is fixed in version 3.26.0.

Action-Not Available
Vendor-symfonytwigphp
Product-twigTwig
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-24819
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.78% / 51.93%
||
7 Day CHG~0.00%
Published-13 Dec, 2021 | 10:41
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access

The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors.

Action-Not Available
Vendor-page\/post_content_shortcode_projectUnknown
Product-page\/post_content_shortcodePage/Post Content Shortcode
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-45563
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.27%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 14:03
Updated-10 Jun, 2026 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Roxy-WI: IDOR — any authenticated user can read another user's full action history

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.

Action-Not Available
Vendor-roxy-wi
Product-roxy-wi
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-863
Incorrect Authorization
CVE-2021-24851
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.91% / 56.07%
||
7 Day CHG~0.00%
Published-17 Nov, 2021 | 10:15
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insert Pages < 3.7.0 - Contributor+ Arbitrary Posts/Pages Access

The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue.

Action-Not Available
Vendor-insert_pages_projectUnknown
Product-insert_pagesInsert Pages
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2026-45148
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.64%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 18:19
Updated-15 May, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SiYuan: Broken access control in SiYuan publish-mode Readers can enumerate metadata

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, broken access control in the searchAsset, searchTag, searchWidget, and searchTemplate publish-mode Readers can enumerate metadata from documents that are invisible to the publish service. This vulnerability is fixed in 3.7.0.

Action-Not Available
Vendor-siyuan-note
Product-siyuan
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-44557
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.58%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 19:44
Updated-19 May, 2026 | 03:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Open WebUI: Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the _validate_collection_access function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory-* and file-* patterns. All other collection names pass through unchecked — including the system-level knowledge-bases meta-collection, which stores the IDs, names, and descriptions of every knowledge base on the instance. Any authenticated user can query this meta-collection directly via the retrieval query endpoints to obtain a global index of all knowledge bases across all users. This vulnerability is fixed in 0.9.0.

Action-Not Available
Vendor-openwebuiopen-webui
Product-open_webuiopen-webui
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-44283
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||NONE
EPSS-0.22% / 13.08%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 17:01
Updated-16 May, 2026 | 00:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
etcd: Read access via PrevKv in etcd transactions may bypass RBAC authorization checks

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may be able to access unauthorized data or attach leases by invoking transaction operations with these features enabled. This vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.

Action-Not Available
Vendor-etcdetcd-io
Product-etcdetcd
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-20493
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.71% / 49.49%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 21:24
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-20498
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.66% / 47.38%
||
7 Day CHG~0.00%
Published-30 Dec, 2019 | 21:24
Updated-05 Aug, 2024 | 12:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in GitLab Community and Enterprise Edition before 11.4.13, 11.5.x before 11.5.6, and 11.6.x before 11.6.1. It has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-45009
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 6.42%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 18:36
Updated-28 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
phpMyFAQ - Insufficient Authorization Check in Admin API Endpoints

phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privileges. Attackers with valid frontend user accounts can access sensitive backend operational information including dashboard versions, LDAP configuration, Elasticsearch statistics, and health-check data.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaq
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-44374
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.62%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 14:30
Updated-01 Jun, 2026 | 13:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks

Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is an information disclosure vulnerability affecting Backstage installations using this module. This is patched in @backstage/plugin-catalog-backend-module-unprocessed version 0.6.11, @backstage/plugin-catalog-unprocessed-entities-common version 0.0.15 and @backstage/plugin-catalog-unprocessed-entities version 0.2.30.

Action-Not Available
Vendor-@backstageThe Linux Foundation
Product-backstage\/plugin-catalog-unprocessed-entitiesbackstage\/plugin-catalog-backend-module-unprocessedbackstage\/plugin-catalog-unprocessed-entities-commonplugin-catalog-backend-module-unprocessedplugin-catalog-unprocessed-entitiesplugin-catalog-unprocessed-entities-common
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-9807
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.17%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 07:34
Updated-29 May, 2026 | 16:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed a blocked Project Access Token to continue accessing private resources due to incorrect authorization enforcement.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-21562
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-4.3||MEDIUM
EPSS-0.32% / 24.28%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 20:53
Updated-29 Apr, 2025 | 20:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Run Control Management). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CC Common Application Objects. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise CC Common Application Objects accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-peoplesoft_enterprise_cc_common_application_objectsPeopleSoft Enterprise CC Common Application Objects
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-21567
Matching Score-4
Assigner-Oracle
ShareView Details
Matching Score-4
Assigner-Oracle
CVSS Score-4.3||MEDIUM
EPSS-0.54% / 41.84%
||
7 Day CHG~0.00%
Published-21 Jan, 2025 | 20:53
Updated-03 Nov, 2025 | 21:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 9.1.0 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

Action-Not Available
Vendor-Oracle Corporation
Product-mysql_serverMySQL Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-44169
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.69%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 17:31
Updated-15 Jun, 2026 | 20:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MariaDB: Authorization bypass in role-based routine-level privilege check exposes stored routine definitions

MariaDB server is a community developed fork of MySQL server. From versions 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, a user getting EXECUTE access to a stored routine via a role, could see the routine definition even without SHOW CREATE ROUTINE privilege. This issue has been patched in versions 11.4.11, 11.8.7, and 12.3.2.

Action-Not Available
Vendor-MariaDB Foundation
Product-server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-42884
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.75%
||
7 Day CHG~0.00%
Published-11 May, 2026 | 19:52
Updated-12 May, 2026 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Audiobookshelf: Collection endpoints bypass library access controls exposing restricted library data

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to each collection's library. An authenticated user with access to any library can enumerate and read collections (including full book metadata) from libraries they are explicitly restricted from accessing. This vulnerability is fixed in 2.32.2.

Action-Not Available
Vendor-advplyr
Product-audiobookshelf
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-20332
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.40% / 31.87%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 16:14
Updated-06 Aug, 2025 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Identity Services Engine Authorization Bypass Vulnerability

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. This vulnerability is due to the lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to modify descriptions of files on a specific page. To exploit this vulnerability, an attacker would need valid read-only Administrator&nbsp;credentials.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-Cisco Identity Services Engine Software
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-41908
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-2.3||LOW
EPSS-0.22% / 12.79%
||
7 Day CHG~0.00%
Published-23 Apr, 2026 | 17:52
Updated-24 Apr, 2026 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route

OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots.

Action-Not Available
Vendor-OpenClaw
Product-OpenClaw
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-32672
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-4.3||MEDIUM
EPSS-0.74% / 50.50%
||
7 Day CHG~0.00%
Published-06 Sep, 2023 | 13:16
Updated-26 Sep, 2024 | 15:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Superset: SQL parser edge case bypasses data access authorization

An Incorrect authorisation check in SQLLab in Apache Superset versions up to and including 2.1.0. This vulnerability allows an authenticated user to query tables that they do not have proper access to within Superset. The vulnerability can be exploited by leveraging a SQL parsing vulnerability.

Action-Not Available
Vendor-The Apache Software Foundation
Product-supersetApache Superset
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-2045
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.41%
||
7 Day CHG~0.00%
Published-06 Mar, 2025 | 13:04
Updated-06 Aug, 2025 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Incorrect Authorization in GitLab

Improper authorization in GitLab EE affecting all versions from 17.7 prior to 17.7.6, 17.8 prior to 17.8.4, 17.9 prior to 17.9.1 allow users with limited permissions to access to potentially sensitive project analytics data.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-15405
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-6.5||MEDIUM
EPSS-1.85% / 76.67%
||
7 Day CHG~0.00%
Published-05 Oct, 2018 | 14:00
Updated-26 Nov, 2024 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cisco Integrated Management Controller Supervisor and Cisco UCS Director Authenticated Web Interface Information Disclosure Vulnerability

A vulnerability in the web interface for specific feature sets of Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director could allow an authenticated, remote attacker to access sensitive information. The vulnerability is due to an authorization check that does not properly include the access level of the web interface user. An attacker who has valid application credentials could exploit this vulnerability by sending a crafted HTTP request to the web interface. A successful exploit could allow the attacker to view sensitive information that belongs to other users. The attacker could then use this information to conduct additional reconnaissance attacks.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-ucs_directorCisco Unified Computing System Director
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-15085
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.26% / 17.34%
||
7 Day CHG~0.00%
Published-25 Dec, 2025 | 19:32
Updated-31 Dec, 2025 | 20:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
youlaitech youlai-mall Balance MemberController.java deductBalance improper authorization

A security flaw has been discovered in youlaitech youlai-mall 1.0.0/2.0.0. This affects the function deductBalance of the file mall-ums/ums-boot/src/main/java/com/youlai/mall/ums/controller/app/MemberController.java of the component Balance Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

Action-Not Available
Vendor-youlaiyoulaitech
Product-youlai-mallyoulai-mall
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-15322
Matching Score-4
Assigner-3938794e-25f5-4123-a1ba-5cbd7f104512
ShareView Details
Matching Score-4
Assigner-3938794e-25f5-4123-a1ba-5cbd7f104512
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 15.52%
||
7 Day CHG~0.00%
Published-30 Jan, 2026 | 00:20
Updated-09 Mar, 2026 | 18:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tanium addressed an improper access controls vulnerability in Tanium Server.

Tanium addressed an improper access controls vulnerability in Tanium Server.

Action-Not Available
Vendor-taniumTanium
Product-serverTanium Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2025-15288
Matching Score-4
Assigner-3938794e-25f5-4123-a1ba-5cbd7f104512
ShareView Details
Matching Score-4
Assigner-3938794e-25f5-4123-a1ba-5cbd7f104512
CVSS Score-3.1||LOW
EPSS-0.22% / 13.11%
||
7 Day CHG~0.00%
Published-29 Jan, 2026 | 20:10
Updated-09 Mar, 2026 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tanium addressed an improper access controls vulnerability in Interact.

Tanium addressed an improper access controls vulnerability in Interact.

Action-Not Available
Vendor-taniumTanium
Product-interactInteract
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-1463
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.44% / 70.25%
||
7 Day CHG~0.00%
Published-17 May, 2018 | 21:00
Updated-16 Sep, 2024 | 16:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) could allow an authenticated user to access system files they should not have access to some of which could contain account credentials. IBM X-Force ID: 140368.

Action-Not Available
Vendor-IBM Corporation
Product-spectrum_virtualizestorwize_v3500_firmwarestorwize_v3500spectrum_virtualize_for_public_cloudstorwize_v5000_firmwarestorwize_v7000_firmwarestorwize_v3700_firmwarestorwize_v7000storwize_v9000_firmwarestorwize_v3700storwize_v5000san_volume_controllersan_volume_controller_firmwarestorwize_v9000FlashSystem V9000Spectrum Virtualize for Public CloudStorwize V7000 (2076)SAN Volume ControllerStorwize V5000Spectrum Virtualize SoftwareStorwize V3500Storwize V3700
CWE ID-CWE-863
Incorrect Authorization
CVE-2018-1250
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-6.5||MEDIUM
EPSS-1.60% / 73.11%
||
7 Day CHG~0.00%
Published-28 Sep, 2018 | 18:00
Updated-17 Sep, 2024 | 04:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains an Authorization Bypass vulnerability. A remote authenticated user could potentially exploit this vulnerability to read files in NAS server by directly interacting with certain APIs of Unity OE, bypassing Role-Based Authorization control implemented only in Unisphere GUI.

Action-Not Available
Vendor-Dell Inc.
Product-emc_unityemc_unity_firmwareemc_unityvsaDell EMC UnityVSADell EMC Unity
CWE ID-CWE-863
Incorrect Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • Next
Details not found