CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Monthly
Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. The vulnerability stems from missing Type field validation in doCertificateUpdate function when processing PUT/PATCH requests to the certificates API endpoint. Attack scope is changed (S:C), allowing attackers to break containment and achieve full cluster compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Privilege escalation in AWS Research and Engineering Studio (RES) versions prior to 2026.03 allows authenticated remote attackers to assume virtual desktop host instance profile permissions and interact with AWS resources via crafted API requests. The vulnerability stems from unsanitized user-modifiable attributes in session creation. CVSS 8.7 (High) with network attack vector, low complexity, and requiring low privileges. Vendor-released patch available (version 2026.03). EPSS data not provided; no public exploit identified at time of analysis.
Privilege escalation in z-9527 admin 1.0/2.0 allows authenticated users to manipulate the isAdmin parameter in the User Update Endpoint (/server/routes/user.js) to gain administrative privileges through dynamically-determined object attributes. The vulnerability requires network access and valid credentials (PR:L per CVSS vector) but no user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving all versions in the 1.x and 2.x branches unpatched.
Authenticated remote code execution via mass assignment in GougoCMS 4.08.18 User Registration Handler allows attackers with valid credentials to manipulate the 'level' parameter during registration, exploiting dynamically-determined object attributes to escalate privileges or modify sensitive user properties. The vulnerability affects the reg_submit function in Login.php and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.
Privilege escalation in APTRS (Automated Penetration Testing Reporting System) prior to version 2.0.1 allows any user to escalate their own account or modify any other user account to superuser status by submitting a crafted POST request to /api/auth/edituser/<pk> with an is_superuser field set to true. The CustomUserSerializer fails to mark is_superuser as read-only despite including it in serializer fields, and the edit_user view lacks validation to prevent non-superusers from modifying this critical field. No public exploit code or active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit given basic HTTP client access to the endpoint.
Kanboard project management software contains a privilege escalation vulnerability in its user invite registration endpoint that allows invited users to inject the 'role=app-admin' parameter during account creation, granting themselves administrator privileges. This affects all Kanboard versions prior to 1.2.51. The vulnerability has documented proof-of-concept exploitation capability (CVSS E:P indicates PoC exists) and carries a CVSS 4.0 score of 7.0 with high integrity impact to both the vulnerable system and subsequent components.
CVE-2026-32742 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset,...
Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an authorization bypass that allows authenticated users to escalate ordinary topics to site-wide notices or banners by manipulating request parameters, circumventing administrative controls. This vulnerability affects any Discourse instance where regular users should not have the ability to create global announcements. No patch is currently available, and administrators should review recent banner and notice changes for unauthorized modifications until updating.
Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to gain cluster admin privileges. Exploitation requires high-privilege authentication (PR:H) but no user interaction. The vulnerability stems from missing Type field validation in doCertificateUpdate function when processing PUT/PATCH requests to the certificates API endpoint. Attack scope is changed (S:C), allowing attackers to break containment and achieve full cluster compromise with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Privilege escalation in AWS Research and Engineering Studio (RES) versions prior to 2026.03 allows authenticated remote attackers to assume virtual desktop host instance profile permissions and interact with AWS resources via crafted API requests. The vulnerability stems from unsanitized user-modifiable attributes in session creation. CVSS 8.7 (High) with network attack vector, low complexity, and requiring low privileges. Vendor-released patch available (version 2026.03). EPSS data not provided; no public exploit identified at time of analysis.
Privilege escalation in z-9527 admin 1.0/2.0 allows authenticated users to manipulate the isAdmin parameter in the User Update Endpoint (/server/routes/user.js) to gain administrative privileges through dynamically-determined object attributes. The vulnerability requires network access and valid credentials (PR:L per CVSS vector) but no user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving all versions in the 1.x and 2.x branches unpatched.
Authenticated remote code execution via mass assignment in GougoCMS 4.08.18 User Registration Handler allows attackers with valid credentials to manipulate the 'level' parameter during registration, exploiting dynamically-determined object attributes to escalate privileges or modify sensitive user properties. The vulnerability affects the reg_submit function in Login.php and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.
Privilege escalation in APTRS (Automated Penetration Testing Reporting System) prior to version 2.0.1 allows any user to escalate their own account or modify any other user account to superuser status by submitting a crafted POST request to /api/auth/edituser/<pk> with an is_superuser field set to true. The CustomUserSerializer fails to mark is_superuser as read-only despite including it in serializer fields, and the edit_user view lacks validation to prevent non-superusers from modifying this critical field. No public exploit code or active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit given basic HTTP client access to the endpoint.
Kanboard project management software contains a privilege escalation vulnerability in its user invite registration endpoint that allows invited users to inject the 'role=app-admin' parameter during account creation, granting themselves administrator privileges. This affects all Kanboard versions prior to 1.2.51. The vulnerability has documented proof-of-concept exploitation capability (CVSS E:P indicates PoC exists) and carries a CVSS 4.0 score of 7.0 with high integrity impact to both the vulnerable system and subsequent components.
CVE-2026-32742 is a security vulnerability (CVSS 4.3). Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the Super Admin account. By changing the email address of the Super Admin and triggering a password reset,...
Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an authorization bypass that allows authenticated users to escalate ordinary topics to site-wide notices or banners by manipulating request parameters, circumventing administrative controls. This vulnerability affects any Discourse instance where regular users should not have the ability to create global announcements. No patch is currently available, and administrators should review recent banner and notice changes for unauthorized modifications until updating.