Skip to main content

Maybe

1 CVEs product

Monthly

CVE-2026-63100 HIGH POC This Week

Broken access control in Maybe Finance (self-hosted personal finance app) through 0.6.0 lets any authenticated low-privilege member-role user read and rewrite instance-wide hosting settings because Settings::HostingsController applies the ensure_admin before_action only to clear_cache, leaving show and update exposed. A member can exfiltrate the operator's Synth API key rendered in plaintext in a form field, replace it with an attacker-controlled value, enable open public registration, and disable email-confirmation enforcement to disrupt the instance. Publicly available exploit code exists (reported by VulnCheck); this is not listed in CISA KEV, so there is no public exploit identified beyond the released POC.

Authentication Bypass Maybe
NVD GitHub
CVSS 4.0
7.1
CVSS 7.1
HIGH POC This Week

Broken access control in Maybe Finance (self-hosted personal finance app) through 0.6.0 lets any authenticated low-privilege member-role user read and rewrite instance-wide hosting settings because Settings::HostingsController applies the ensure_admin before_action only to clear_cache, leaving show and update exposed. A member can exfiltrate the operator's Synth API key rendered in plaintext in a form field, replace it with an attacker-controlled value, enable open public registration, and disable email-confirmation enforcement to disrupt the instance. Publicly available exploit code exists (reported by VulnCheck); this is not listed in CISA KEV, so there is no public exploit identified beyond the released POC.

Authentication Bypass Maybe
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy