Skip to main content
CVE-2026-55460 HIGH PATCH This Week

Broken authorization in Snipe-IT before 8.6.2 lets an authenticated non-admin user who holds users.view and users.edit - but explicitly not users.delete - soft-delete other non-admin user accounts by POSTing delete_user=1 to /users/bulksave. The root cause is that BulkUsersController::destroy() checks only the 'update' authorization, so the delete permission gate is never enforced. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Snipe It
NVD GitHub
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-55881 HIGH PATCH This Week

Cross-tenant information disclosure in OpenReplay's self-hosted session-replay backend (versions 1.22.0 through 1.26.x) lets any authenticated low-privilege user retrieve the first 15 seconds of another tenant's DOM session-replay recording. The getFirstMob endpoint issued a 15-second presigned S3 URL keyed only on a user-supplied session path, while validateProjectAccess confirmed project-to-tenant ownership but never confirmed that the requested session actually belonged to that project, breaking multi-tenant isolation. No public exploit identified at time of analysis, but the flaw is trivially triggerable by any valid account and is fixed in 1.27.0.

Authentication Bypass Openreplay
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-55880 HIGH This Week

Broken object-level authorization (IDOR) in OpenReplay 1.27.0 and earlier lets any authenticated project member tamper with other users' private data: the notes.delete, dashboards.update_widget, and dashboards.remove_widget backend functions omit the ownership predicate their sibling read/edit functions enforce, so they act on any note or widget matching only an id and project/dashboard id. An authenticated low-privilege member can delete another user's private session notes and remove or rewrite widgets on another user's private dashboards. There is no public exploit identified and no CISA KEV listing; impact is integrity/availability of other tenants' data, not disclosure (CVSS 7.1, C:N/I:H/A:L).

Authentication Bypass Openreplay
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-55474 HIGH PATCH This Week

Arbitrary file read in Snipe-IT before 8.5.0 lets an authenticated user abuse the ActionlogController::displaySig endpoint, which concatenates the route's filename parameter into a private upload-directory path without sanitization, enabling relative path traversal (CWE-23) to read any file the web server process can access. The CVSS 4.0 base score is 7.1 with high confidentiality impact only; there is no public exploit identified at time of analysis and no CISA KEV listing. Because Snipe-IT stores database credentials and application secrets in web-readable files, the practical impact can extend beyond simple information disclosure toward full application compromise.

Information Disclosure Snipe It
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-61455 HIGH PATCH This Week

Denial of service in Grav CMS before 2.0.1 allows authenticated users to exhaust server storage by uploading a crafted ZIP archive (a decompression bomb) that the ZipArchiver::extract() routine expands without enforcing limits on uncompressed size, file count, or nesting depth. The CVSS 4.0 base score of 7.1 reflects a network-reachable, low-privilege flaw whose sole impact is high availability loss. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Denial Of Service Grav
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-61450 HIGH PATCH This Week

Sensitive configuration exfiltration in Grav CMS before 2.0.2 lets an authenticated page author bypass the Twig sandbox and read the full config tree, including plugin SMTP credentials, API keys, and database passwords. The flaw is an incomplete fix for the earlier GHSA-j274-39qw-32c9 sandbox escape: the redacted 'config' facade is still trivially bypassed through the allow-listed grav.offsetGet('config') call. No public exploit has been identified at time of analysis, though the bypass technique is fully described in the vendor advisory.

Code Injection PHP RCE Grav
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-61441 HIGH PATCH This Week

Broken authorization in PraisonAI Platform before 0.1.9 lets an authenticated workspace member delete owner-created issue dependencies they should not be able to remove. The DELETE dependency route accepts either endpoint of a dependency edge and validates delete permission only against the caller-supplied issue URL, so a member blocked (403) via the owner's issue endpoint can delete the same edge by targeting their own member-owned issue endpoint. Reported by VulnCheck with a vendor patch available; no public exploit identified at time of analysis and it is not on CISA KEV.

Authentication Bypass Praisonai
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56335 HIGH PATCH This Week

Improper access control in Capgo before 12.128.2 lets holders of write-scoped API keys directly mutate protected channel configuration fields (such as public, allow_emulator, and security-related flags) through the PostgREST data layer, bypassing intended application route restrictions. The flaw stems from a null authentication check in the database immutability trigger, allowing a low-privileged but authenticated actor to alter integrity-sensitive delivery settings for a Capacitor live-update backend. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Capgo
NVD GitHub
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-55843 HIGH PATCH This Week

Improper permission handling in Snipe-IT before 8.6.0 lets a privileged user strip another user's administrative or granular permissions when editing their account. Because UsersController::update() treats a missing permissions field as a sparse payload rather than a no-op, an administrator editing another administrator — or any user holding users.edit editing a regular account — can silently wipe the target's privileges. No public exploit identified at time of analysis; this is an authenticated integrity/availability issue rather than a remote takeover.

Privilege Escalation Snipe It
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-57217 HIGH PATCH This Week

Authorization bypass in RabbitMQ topic permissions lets an authenticated user with restricted topic rights publish to or bind on topics they should be denied, but only during metadata-store failure windows. When the Khepri metadata store returns a lookup error, the topic-permission result collapses to 'undefined', which the internal authorization backend fails open and treats as 'allow'. There is no public exploit identified at time of analysis and it is not on CISA KEV; the CVSS 4.0 base score is 7.0.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-57215 HIGH PATCH This Week

Improper authorization in RabbitMQ broker (versions prior to 3.13.15, 4.0.20, 4.1.11, and 4.2.6) allows an authenticated client to create foreign bindings against another connection's volatile amq.rabbitmq.reply-to (direct reply-to) destination, so persistent route entries survive after unbind and can leak RPC reply traffic intended for other clients. The flaw stems from Khepri-backed deletion checks that omit these volatile pseudo-queues, letting stale routes persist. No public exploit identified at time of analysis; exploitation requires valid credentials and has high attack complexity per the vendor CVSS 4.0 vector.

Authentication Bypass Rabbitmq Server
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.2%
CVE-2026-54000 HIGH PATCH This Week

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the `processes` table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Heap Overflow Microsoft Buffer Overflow Osquery
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-54001 HIGH PATCH This Week

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

Privilege Escalation Heap Overflow Microsoft Buffer Overflow Osquery
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-38057 HIGH CISA This Week

Cross-site request forgery in ST Engineering iDirect satellite terminals (Evolution iQ-series, including the iQ200, plus 3315-series and 9-series) lets a remote attacker force an authenticated administrator's browser to submit a POST to the /api/reboot endpoint, rebooting the modem and dropping the satellite link. Because the session cookie lacks a SameSite attribute and no CSRF token is validated, simply luring a logged-in admin to a malicious page triggers the reboot; repeated abuse sustains a denial-of-service against connectivity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

CSRF Evolution Iq Series Terminals 3315 Series 9 Series Terminals
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy