Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-12411

Summary
Assigner-canonical
Assigner Org ID-cc1ad9ee-3454-478d-9317-d3e869d708bc
Published At-26 Jun, 2026 | 15:27
Updated At-26 Jun, 2026 | 16:02
Rejected At-
Credits

Broken Access Control in Canonical LXD DevLXD API

Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:canonical
Assigner Org ID:cc1ad9ee-3454-478d-9317-d3e869d708bc
Published At:26 Jun, 2026 | 15:27
Updated At:26 Jun, 2026 | 16:02
Rejected At:
▼CVE Numbering Authority (CNA)
Broken Access Control in Canonical LXD DevLXD API

Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.

Affected Products
Vendor
Canonical Ltd.Canonical
Product
lxd
Collection URL
https://github.com/canonical
Package Name
lxd
Repo
https://github.com/canonical/lxd
Program Files
  • permissions.go
Platforms
  • Linux
Default Status
unaffected
Versions
Affected
  • From 6.6 before 6.9 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-639CWE-639 Authorization bypass through User-Controlled key
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-639
Description: CWE-639 Authorization bypass through User-Controlled key
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
3.18.4HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 8.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-77Manipulating User-Controlled Variables
CAPEC ID: CAPEC-77
Description: Manipulating User-Controlled Variables
Solutions

Upgrade to LXD version 6.9 or later.

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp
vdb-entry
vendor-advisory
https://github.com/canonical/lxd/pull/18585
patch
Hyperlink: https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp
Resource:
vdb-entry
vendor-advisory
Hyperlink: https://github.com/canonical/lxd/pull/18585
Resource:
patch
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp
exploit
Hyperlink: https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@ubuntu.com
Published At:26 Jun, 2026 | 16:16
Updated At:02 Jul, 2026 | 14:14

Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.4HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary3.19.6CRITICAL
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 8.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Type: Primary
Version: 3.1
Base score: 9.6
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Canonical Ltd.
canonical
>>lxd>>Versions from 6.6(inclusive) to 6.9(exclusive)
cpe:2.3:a:canonical:lxd:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-639Secondarysecurity@ubuntu.com
CWE-862Secondarysecurity@ubuntu.com
CWE ID: CWE-639
Type: Secondary
Source: security@ubuntu.com
CWE ID: CWE-862
Type: Secondary
Source: security@ubuntu.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://github.com/canonical/lxd/pull/18585security@ubuntu.com
Issue Tracking
Patch
https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xpsecurity@ubuntu.com
Exploit
Vendor Advisory
https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
Hyperlink: https://github.com/canonical/lxd/pull/18585
Source: security@ubuntu.com
Resource:
Issue Tracking
Patch
Hyperlink: https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp
Source: security@ubuntu.com
Resource:
Exploit
Vendor Advisory
Hyperlink: https://github.com/canonical/lxd/security/advisories/GHSA-hhf9-qw4v-72xp
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource:
Exploit
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

35Records found

CVE-2026-49238
Matching Score-8
Assigner-Canonical Ltd.
ShareView Details
Matching Score-8
Assigner-Canonical Ltd.
CVSS Score-8.4||HIGH
EPSS-0.51% / 39.44%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 13:22
Updated-01 Jun, 2026 | 13:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SFTP Server VM Escape in Canonical Multipass

An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment bypass vulnerability within its validate_path function in src/sshfs_mount/sftp_server.cpp. The function performs a plain string prefix comparison on requested paths without path separator validation or dot-dot (..) normalization. A local attacker with root privileges inside a guest virtual machine can bypass the FUSE layer by injecting raw SFTP frames (such as an SSH_FXP_OPEN request) directly into the sshfs_server process stdin/stdout pipes via procfs. By supplying a path containing directory traversal sequences that match the allowed mount prefix, the attacker can force the host-side root process to resolve the traversal and open files outside the designated mount boundary. This allows a guest-side user to read arbitrary files on the host filesystem, resulting in a virtual machine escape.

Action-Not Available
Vendor-Canonical Ltd.
Product-multipassMultipass
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-0543
Matching Score-6
Assigner-Debian GNU/Linux
ShareView Details
Matching Score-6
Assigner-Debian GNU/Linux
CVSS Score-10||CRITICAL
EPSS-99.67% / 99.95%
||
7 Day CHG~0.00%
Published-18 Feb, 2022 | 19:25
Updated-10 Nov, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-04-18||Apply updates per vendor instructions.

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

Action-Not Available
Vendor-Redis Inc.Canonical Ltd.Debian GNU/Linux
Product-ubuntu_linuxdebian_linuxredisredisDebian-specific Redis Servers
CWE ID-CWE-862
Missing Authorization
CVE-2022-0492
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-5.53% / 91.85%
||
7 Day CHG~0.00%
Published-03 Mar, 2022 | 00:00
Updated-03 Jun, 2026 | 12:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2026-06-05||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

Action-Not Available
Vendor-n/aDebian GNU/LinuxCanonical Ltd.NetApp, Inc.Red Hat, Inc.Fedora ProjectLinux Kernel Organization, Inc
Product-h300s_firmwareh410c_firmwareenterprise_linux_server_aush410s_firmwareenterprise_linuxh700sh700s_firmwareenterprise_linux_for_ibm_z_systems_eusvirtualization_hostenterprise_linux_for_real_time_for_nfv_tusenterprise_linux_for_ibm_z_systemsenterprise_linux_eusenterprise_linux_for_power_little_endiancodeready_linux_builder_for_power_little_endiansolidfire\,_enterprise_sds_\&_hci_storage_nodeh410cfedoraenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionshci_compute_nodedebian_linuxh500s_firmwareenterprise_linux_for_power_little_endian_euscodeready_linux_builderubuntu_linuxh500sbootstrap_osh300sh410senterprise_linux_server_tuslinux_kernelenterprise_linux_for_real_time_tussolidfire_\&_hci_management_nodeenterprise_linux_server_update_services_for_sap_solutionskernelKernel
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-862
Missing Authorization
CVE-2019-17055
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-3.3||LOW
EPSS-0.54% / 41.54%
||
7 Day CHG~0.00%
Published-01 Oct, 2019 | 13:10
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21.

Action-Not Available
Vendor-n/aFedora ProjectCanonical Ltd.Red Hat, Inc.Linux Kernel Organization, IncopenSUSEDebian GNU/Linux
Product-enterprise_linux_serverubuntu_linuxdebian_linuxlinux_kernelenterprise_linux_workstationfedoraenterprise_linux_desktopleapn/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-3351
Matching Score-6
Assigner-Canonical Ltd.
ShareView Details
Matching Score-6
Assigner-Canonical Ltd.
CVSS Score-2.1||LOW
EPSS-0.14% / 3.83%
||
7 Day CHG~0.00%
Published-03 Mar, 2026 | 12:49
Updated-11 Mar, 2026 | 18:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authorization Bypass in LXD GET /1.0/certificates Endpoint

Improper authorization in the API endpoint GET /1.0/certificates in Canonical LXD 6.6 on Linux allows an authenticated, restricted user to enumerate all certificate fingerprints trusted by the lxd server.

Action-Not Available
Vendor-Canonical Ltd.Linux Kernel Organization, Inc
Product-lxdlinux_kernellxd
CWE ID-CWE-862
Missing Authorization
CVE-2019-15030
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4.4||MEDIUM
EPSS-0.45% / 36.07%
||
7 Day CHG~0.00%
Published-13 Sep, 2019 | 12:37
Updated-05 Aug, 2024 | 00:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the Linux kernel through 5.2.14 on the powerpc platform, a local user can read vector registers of other users' processes via a Facility Unavailable exception. To exploit the venerability, a local user starts a transaction (via the hardware transactional memory instruction tbegin) and then accesses vector registers. At some point, the vector registers will be corrupted with the values from a different local Linux process because of a missing arch/powerpc/kernel/process.c check.

Action-Not Available
Vendor-n/aopenSUSELinux Kernel Organization, IncCanonical Ltd.Red Hat, Inc.
Product-ubuntu_linuxenterprise_linuxlinux_kernelleapn/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-32694
Matching Score-6
Assigner-Canonical Ltd.
ShareView Details
Matching Score-6
Assigner-Canonical Ltd.
CVSS Score-6.6||MEDIUM
EPSS-0.27% / 18.48%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 12:55
Updated-19 Mar, 2026 | 15:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Direct Object Reference attack via predictable secret ID in Juju

In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the same secret owner to different grantees, allowing them to use the resources granted by those past secrets. Successful exploitation relies on a very specific configuration, specific data semantic, and the administrator having the need to deploy at least two different applications, one of them controlled by the attacker.

Action-Not Available
Vendor-Canonical Ltd.
Product-jujuJuju
CWE ID-CWE-343
Predictable Value Range from Previous Values
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2019-14822
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.1||HIGH
EPSS-0.36% / 28.52%
||
7 Day CHG~0.00%
Published-25 Nov, 2019 | 11:01
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.

Action-Not Available
Vendor-ibus_projectn/aOracle CorporationRed Hat, Inc.Canonical Ltd.
Product-ubuntu_linuxenterprise_linuxzfs_storage_appliance_kitibusibus
CWE ID-CWE-862
Missing Authorization
CVE-2019-16236
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-2.38% / 81.87%
||
7 Day CHG~0.00%
Published-11 Sep, 2019 | 18:57
Updated-05 Aug, 2024 | 01:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dino before 2019-09-10 does not check roster push authorization in module/roster/module.vala.

Action-Not Available
Vendor-dinon/aCanonical Ltd.Fedora ProjectDebian GNU/Linux
Product-ubuntu_linuxdebian_linuxfedoradinon/a
CWE ID-CWE-862
Missing Authorization
CVE-2020-27349
Matching Score-6
Assigner-Canonical Ltd.
ShareView Details
Matching Score-6
Assigner-Canonical Ltd.
CVSS Score-5.5||MEDIUM
EPSS-0.29% / 20.55%
||
7 Day CHG~0.00%
Published-09 Dec, 2020 | 03:35
Updated-16 Sep, 2024 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aptdaemon performed policykit permissions checks too late

Aptdaemon performed policykit checks after interacting with potentially untrusted files with elevated privileges. This affected versions prior to 1.1.1+bzr982-0ubuntu34.1, 1.1.1+bzr982-0ubuntu32.3, 1.1.1+bzr982-0ubuntu19.5, 1.1.1+bzr982-0ubuntu14.5.

Action-Not Available
Vendor-Canonical Ltd.
Product-ubuntu_linuxaptdaemon
CWE ID-CWE-862
Missing Authorization
CVE-2020-15780
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.7||MEDIUM
EPSS-1.31% / 67.23%
||
7 Day CHG~0.00%
Published-15 Jul, 2020 | 21:24
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.

Action-Not Available
Vendor-n/aopenSUSELinux Kernel Organization, IncCanonical Ltd.
Product-ubuntu_linuxlinux_kernelleapn/a
CWE ID-CWE-862
Missing Authorization
CVE-2020-14001
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.56% / 90.44%
||
7 Day CHG+0.09%
Published-17 Jul, 2020 | 15:27
Updated-04 Aug, 2024 | 12:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Action-Not Available
Vendor-kramdown_projectn/aCanonical Ltd.Fedora ProjectDebian GNU/Linux
Product-ubuntu_linuxkramdowndebian_linuxfedoran/a
CWE ID-CWE-862
Missing Authorization
CVE-2019-9924
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.41% / 33.41%
||
7 Day CHG~0.00%
Published-22 Mar, 2019 | 07:05
Updated-04 Aug, 2024 | 22:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.

Action-Not Available
Vendor-n/aGNUopenSUSENetApp, Inc.Canonical Ltd.Debian GNU/Linux
Product-ubuntu_linuxdebian_linuxhci_management_nodebashsolidfireleapn/a
CWE ID-CWE-862
Missing Authorization
CVE-2019-11761
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.79% / 51.78%
||
7 Day CHG~0.00%
Published-08 Jan, 2020 | 19:52
Updated-04 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. This vulnerability affects Firefox < 70, Thunderbird < 68.2, and Firefox ESR < 68.2.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-firefoxubuntu_linuxthunderbirdfirefox_esrFirefoxFirefox ESRThunderbird
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2012-0055
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-1.24% / 65.55%
||
7 Day CHG~0.00%
Published-19 Feb, 2020 | 17:28
Updated-06 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10.0.4 LTS and 11.10, is missing inode security checks which could allow attackers to bypass security restrictions and perform unauthorized actions.

Action-Not Available
Vendor-Linux kernelLinux Kernel Organization, IncCanonical Ltd.
Product-ubuntu_linuxlinux_kernelOverlayFS
CWE ID-CWE-862
Missing Authorization
CVE-2019-10161
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.8||HIGH
EPSS-0.52% / 40.08%
||
7 Day CHG~0.00%
Published-30 Jul, 2019 | 22:14
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was discovered that libvirtd before versions 4.10.1 and 5.4.1 would permit read-only clients to use the virDomainSaveImageGetXMLDesc() API, specifying an arbitrary path which would be accessed with the permissions of the libvirtd process. An attacker with access to the libvirtd socket could use this to probe the existence of arbitrary files, cause denial of service or cause libvirtd to execute arbitrary programs.

Action-Not Available
Vendor-LibvirtCanonical Ltd.Red Hat, Inc.
Product-ubuntu_linuxvirtualizationenterprise_linuxvirtualization_hostlibvirtlibvirt
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2018-5113
Matching Score-6
Assigner-Mozilla Corporation
ShareView Details
Matching Score-6
Assigner-Mozilla Corporation
CVSS Score-7.5||HIGH
EPSS-2.07% / 79.15%
||
7 Day CHG~0.00%
Published-11 Jun, 2018 | 21:00
Updated-05 Aug, 2024 | 05:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The "browser.identity.launchWebAuthFlow" function of WebExtensions is only allowed to load content over "https:" but this requirement was not properly enforced. This can potentially allow privileged pages to be loaded by the extension. This vulnerability affects Firefox < 58.

Action-Not Available
Vendor-Mozilla CorporationCanonical Ltd.
Product-firefoxubuntu_linuxFirefox
CWE ID-CWE-862
Missing Authorization
CVE-2018-1116
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.7||MEDIUM
EPSS-1.20% / 64.33%
||
7 Day CHG~0.00%
Published-10 Jul, 2018 | 19:00
Updated-05 Aug, 2024 | 03:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in polkit before version 0.116. The implementation of the polkit_backend_interactive_authority_check_authorization function in polkitd allows to test for authentication and trigger authentication of unrelated processes owned by other users. This may result in a local DoS and information disclosure.

Action-Not Available
Vendor-polkit_project[UNKNOWN]Canonical Ltd.Debian GNU/Linux
Product-polkitubuntu_linuxdebian_linuxpolkit
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2017-9232
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-48.50% / 98.72%
||
7 Day CHG~0.00%
Published-28 May, 2017 | 00:00
Updated-13 May, 2026 | 00:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a UNIX domain socket without setting appropriate permissions, allowing privilege escalation by users on the system to root.

Action-Not Available
Vendor-n/aCanonical Ltd.
Product-jujun/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-57498
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.22% / 12.81%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 20:12
Updated-30 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' Servers

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.

Action-Not Available
Vendor-coollabsio
Product-coolify
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2026-53470
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.28% / 19.82%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 13:55
Updated-10 Jun, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Migration-planner: getsourcedownloadurl missing organization check

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the `/api/v1/sources/{id}/image-url` endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance (OVA) images belonging to other users. Consequently, the attacker can download OVA images containing sensitive information, such as long-lived agent JSON Web Tokens (JWTs) and source configurations, potentially leading to unauthorized access and modification of the victim's source.

Action-Not Available
Vendor-
Product-
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-50084
Matching Score-4
Assigner-44488dab-36db-4358-99f9-bc116477f914
ShareView Details
Matching Score-4
Assigner-44488dab-36db-4358-99f9-bc116477f914
CVSS Score-9.6||CRITICAL
EPSS-0.21% / 11.59%
||
7 Day CHG~0.00%
Published-12 Jun, 2026 | 15:01
Updated-12 Jun, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aqara API cross-account access

The Aqara Cloud Production API (open-cn.aqara.com/v3.0/open/api) would authorize any valid developer token for access to any account. This is an instance of "CWE-862: Missing Authorization" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical). When combined with CVE-2026-50082, CVE-50083, and CVE-50085, this can lead to a fully unauthenticated, remote takeover of affected devices.

Action-Not Available
Vendor-Aqara
Product-Cloud Production API
CWE ID-CWE-862
Missing Authorization
CVE-2026-48582
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-9.6||CRITICAL
EPSS-0.39% / 30.91%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 20:29
Updated-01 Jul, 2026 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Exchange Online Elevation of Privilege Vulnerability

Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.

Action-Not Available
Vendor-Microsoft Corporation
Product-exchange_onlineMicrosoft Exchange Online
CWE ID-CWE-862
Missing Authorization
CVE-2026-46441
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.27% / 19.13%
||
7 Day CHG~0.00%
Published-08 Jun, 2026 | 15:30
Updated-11 Jun, 2026 | 04:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flowise: Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating an assistant resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign assistants to arbitrary workspaces. This breaks tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.

Action-Not Available
Vendor-flowiseaiFlowiseAI
Product-flowiseFlowise
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVE-2026-5845
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
ShareView Details
Matching Score-4
Assigner-GitHub, Inc. (Products Only)
CVSS Score-7.2||HIGH
EPSS-0.23% / 13.81%
||
7 Day CHG~0.00%
Published-21 Apr, 2026 | 22:42
Updated-29 Apr, 2026 | 12:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improper authorization fallback allows scoped user-to-server token installation escape in GitHub Enterprise Server

An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server allows an authenticated attacker to access private repositories outside the intended installation scope, which can include write operations, via an authorization fallback that treated a revoked/deleted installation as a global installation context, which could be chained with token revocation timing and SSH push attribution to obtain and reuse a victim-scoped token. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.21 and was fixed in versions 3.20.1, 3.19.5, 3.18.8, 3.17.14, 3.16.17, 3.15.21, and 3.14.26. This vulnerability was reported via the GitHub Bug Bounty program.

Action-Not Available
Vendor-GitHub, Inc.
Product-enterprise_serverEnterprise Server
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-42861
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.6||HIGH
EPSS-0.25% / 16.66%
||
7 Day CHG~0.00%
Published-08 Jun, 2026 | 15:25
Updated-11 Jun, 2026 | 03:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flowise: Mass Assignment in Variable Update Endpoint Allows Cross-Workspace Resource Reassignment

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId, createdDate, and updatedDate when updating a variable resource. Due to missing server-side validation and authorization checks, an attacker can manipulate the workspaceId field and reassign variables to arbitrary workspaces. This behavior may break tenant isolation in multi-workspace environments. This issue has been patched in version 3.1.2.

Action-Not Available
Vendor-flowiseaiFlowiseAI
Product-flowiseFlowise
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVE-2026-53471
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.29% / 20.43%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 13:55
Updated-10 Jun, 2026 | 19:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Migration-planner: agent api ignores jwt source_id claim

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens (JWTs) for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the source_id claim within these tokens against the requested source ID. This oversight allows an authenticated attacker with a valid agent token to manipulate data across different tenants, leading to a complete collapse of tenant isolation. This could result in unauthorized overwriting of victim inventory, planting of malicious credential URLs, or corruption of migration assessments.

Action-Not Available
Vendor-
Product-
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-30884
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.17% / 6.38%
||
7 Day CHG~0.00%
Published-18 Mar, 2026 | 02:26
Updated-16 Apr, 2026 | 14:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key

mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.

Action-Not Available
Vendor-mdjnelson
Product-moodle-mod_customcert
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-11807
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.37% / 28.96%
||
7 Day CHG+0.01%
Published-23 Jun, 2026 | 19:40
Updated-29 Jun, 2026 | 12:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Eda-server: websocket missing authorization allows credential theft via activation_id spoofing

A missing authorization vulnerability was found in the Event-Driven Ansible (EDA) websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activation_id to receive plaintext credentials associated with that activation, including OAuth tokens, vault passwords, and SSH keys.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Ansible Automation Platform 2.5Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Ansible Automation Platform 2.6Red Hat Ansible Automation Platform 2.5 for RHEL 9Red Hat Ansible Automation Platform 2.5Red Hat Ansible Automation Platform 2.6 for RHEL 9Red Hat Ansible Automation Platform 2.5 for RHEL 8
CWE ID-CWE-862
Missing Authorization
CVE-2026-10140
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.6||CRITICAL
EPSS-0.20% / 10.09%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 19:55
Updated-02 Jul, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflowLangflow OSS
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2022-41937
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.73% / 49.81%
||
7 Day CHG~0.00%
Published-22 Nov, 2022 | 00:00
Updated-23 Apr, 2025 | 16:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in XWiki Platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a workaround, setting the right of the page Filter.WebHome and making sure only the main wiki administrators can view the application installed on main wiki or edit the page and apply the changed described in commit fb49b4f.

Action-Not Available
Vendor-XWiki SAS
Product-xwikixwiki-platform
CWE ID-CWE-862
Missing Authorization
CVE-2024-5619
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-9.6||CRITICAL
EPSS-0.36% / 28.26%
||
7 Day CHG~0.00%
Published-18 Jul, 2024 | 16:49
Updated-03 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IDOR in PruvaSoft Informatics' Apinizer Management Console

Authorization Bypass Through User-Controlled Key vulnerability in PruvaSoft Informatics Apinizer Management Console allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Apinizer Management Console: before 2024.05.1.

Action-Not Available
Vendor-PruvaSoft Informaticsapinizer
Product-Apinizer Management Consoleapinizer
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2021-21382
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-8.6||HIGH
EPSS-1.47% / 70.55%
||
7 Day CHG~0.00%
Published-11 Jun, 2021 | 20:50
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unsafe loopback forwarding interface in Restund

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhost which you might consider private. In the configuration that we ship (https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43) the `status` interface of restund is enabled and is listening on `127.0.0.1`.The `status` interface allows users to issue administrative commands to `restund` like listing open relays or draining connections. It would be possible for an attacker to contact the status interface and issue administrative commands by setting `XOR-PEER-ADDRESS` to `127.0.0.1:{{restund_udp_status_port}}` when opening a TURN channel. We now explicitly disallow relaying to loopback addresses, 'any' addresses, link local addresses, and the broadcast address. As a workaround disable the `status` module in your restund configuration. However there might still be other services running on `127.0.0.0/8` that you do not want to have exposed. The `turn` module can be disabled. Restund will still perform STUN and this might already be enough for initiating calls in your environments. TURN is only used as a last resort when other NAT traversal options do not work. One should also make sure that the TURN server is set up with firewall rules so that it cannot relay to other addresses that you don't want the TURN server to relay to. For example other services in the same VPC where the TURN server is running. Ideally TURN servers should be deployed in an isolated fashion where they can only reach what they need to reach to perform their task of assisting NAT-traversal.

Action-Not Available
Vendor-wirewireapp
Product-restundrestund
CWE ID-CWE-668
Exposure of Resource to Wrong Sphere
CWE ID-CWE-862
Missing Authorization
CVE-2024-36326
Matching Score-4
Assigner-Advanced Micro Devices Inc.
ShareView Details
Matching Score-4
Assigner-Advanced Micro Devices Inc.
CVSS Score-8.4||HIGH
EPSS-0.12% / 2.44%
||
7 Day CHG~0.00%
Published-06 Sep, 2025 | 17:25
Updated-26 Feb, 2026 | 17:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in AMD RomArmor could allow an attacker to bypass ROMArmor protections during system resume from a standby state, potentially resulting in a loss of confidentiality and integrity.

Action-Not Available
Vendor-Advanced Micro Devices, Inc.
Product-AMD Ryzen™ AI 300 Series ProcessorsAMD Ryzen™ 7040 Series Mobile Processors with Radeon™ Graphics
CWE ID-CWE-862
Missing Authorization
CVE-2025-62712
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-9.6||CRITICAL
EPSS-0.47% / 37.14%
||
7 Day CHG+0.02%
Published-30 Oct, 2025 | 16:08
Updated-12 Nov, 2025 | 15:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
JumpServer Connection Token Leak Vulnerability

JumpServer is an open source bastion host and an operation and maintenance security audit system. In JumpServer versions prior to v3.10.20-lts and v4.10.11-lts, an authenticated, non-privileged user can retrieve connection tokens belonging to other users via the super-connection API endpoint (/api/v1/authentication/super-connection-token/). When accessed from a web browser, this endpoint returns connection tokens created by all users instead of restricting results to tokens owned by or authorized for the requester. An attacker who obtains these tokens can use them to initiate connections to managed assets on behalf of the original token owners, resulting in unauthorized access and privilege escalation across sensitive systems. This vulnerability is fixed in v3.10.20-lts and v4.10.11-lts.

Action-Not Available
Vendor-JumpServer (FIT2CLOUD Inc.)FIT2CLOUD Inc.
Product-jumpserverjumpserver
CWE ID-CWE-862
Missing Authorization
Details not found