Skip to main content

Cerebrate

12 CVEs product

Monthly

CVE-2026-53912 MEDIUM PATCH This Month

Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated user holding inbox or audit log access privileges. The hashed credential appeared unredacted across HTML, JSON, and CSV inbox responses and was also written unredacted into audit log entries, as confirmed by commit 02da6d7 and its accompanying test assertions checking for suppression of the $2y$10$ bcrypt prefix. Exploitation requires PR:H per the CVSS 4.0 vector, no active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Information Disclosure Cerebrate
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-53911 MEDIUM PATCH This Month

Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records of the same entity type by injecting a foreign primary key into CRUD edit requests. The flaw stems from permissive mass-assignment defaults across several entity types - User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection - where the ORM's patchEntity() accepted attacker-controlled id values from request bodies, redirecting the SQL UPDATE to an unrelated row. Because the UserSettings edit endpoint was reachable by all authenticated users, the most accessible exploitation path required only valid session credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, though the integrity impact on Role and User entities carries privilege-escalation potential that elevates real-world severity above the base CVSS score alone.

Authentication Bypass Cerebrate
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-53901 HIGH PATCH This Week

Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-controlled id when creating objects, because the add() handler stripped id from the raw $params but not from the normalized $input passed to entity patching. No public exploit identified at time of analysis, but the upstream commit aff1ca7 makes the root cause and exploit path trivially recoverable. CVSS 4.0 of 8.7 (VI:H) reflects integrity-only impact on the vulnerable system.

Authentication Bypass Cerebrate
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2023-41908 MEDIUM PATCH This Month

Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Cerebrate
NVD GitHub
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-41363 MEDIUM PATCH This Month

In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Cerebrate
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-28883 CRITICAL PATCH Act Now

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Cerebrate
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-26468 CRITICAL PATCH Act Now

Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cerebrate
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2022-25321 MEDIUM POC PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Cerebrate
NVD GitHub
CVSS 3.1
6.1
EPSS
1.1%
CVE-2022-25320 MEDIUM PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cerebrate
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2022-25319 MEDIUM POC PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Cerebrate
NVD GitHub
CVSS 3.1
5.3
EPSS
1.3%
CVE-2022-25318 MEDIUM PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Cerebrate
NVD GitHub
CVSS 3.1
4.3
EPSS
0.6%
CVE-2022-25317 MEDIUM PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Cerebrate
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated user holding inbox or audit log access privileges. The hashed credential appeared unredacted across HTML, JSON, and CSV inbox responses and was also written unredacted into audit log entries, as confirmed by commit 02da6d7 and its accompanying test assertions checking for suppression of the $2y$10$ bcrypt prefix. Exploitation requires PR:H per the CVSS 4.0 vector, no active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Information Disclosure Cerebrate
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records of the same entity type by injecting a foreign primary key into CRUD edit requests. The flaw stems from permissive mass-assignment defaults across several entity types - User, Role, UserSetting, LocalTool, PermissionLimitation, and EnumerationCollection - where the ORM's patchEntity() accepted attacker-controlled id values from request bodies, redirecting the SQL UPDATE to an unrelated row. Because the UserSettings edit endpoint was reachable by all authenticated users, the most accessible exploitation path required only valid session credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, though the integrity impact on Role and User entities carries privilege-escalation potential that elevates real-world severity above the base CVSS score alone.

Authentication Bypass Cerebrate
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-controlled id when creating objects, because the add() handler stripped id from the raw $params but not from the normalized $input passed to entity patching. No public exploit identified at time of analysis, but the upstream commit aff1ca7 makes the root cause and exploit path trivially recoverable. CVSS 4.0 of 8.7 (VI:H) reflects integrity-only impact on the vulnerable system.

Authentication Bypass Cerebrate
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Cerebrate
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Cerebrate
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Cerebrate
NVD GitHub
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cerebrate
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Cerebrate
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Cerebrate
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Cerebrate
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Cerebrate
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Cerebrate
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy