Total
2704 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27112 | 1 Akuity | 1 Kargo | 2026-02-25 | N/A | 9.9 CRITICAL |
| Kargo manages and automates the promotion of software artifacts. From 1.7.0 to before v1.7.8, v1.8.11, and v1.9.3, the batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API accept multi-document YAML payloads. Specially crafted payloads can manifest a bug present in the logic of both endpoints to inject arbitrary resources (of specific types only) into the underlying namespace of an existing Project using the API server's own permissions when that behavior was not intended. Critically, an attacker may exploit this as a vector for elevating their own permissions, which can then be leveraged to achieve remote code execution or secret exfiltration. Exfiltrated artifact repository credentials can be leveraged, in turn, to execute further attacks. In some configurations of the Kargo control plane's underlying Kubernetes cluster, elevated permissions may additionally be leveraged to achieve remote code execution or secret exfiltration using kubectl. This can reduce the complexity of the attack, however, worst case scenarios remain entirely achievable even without this. This vulnerability is fixed in v1.7.8, v1.8.11, and v1.9.3. | |||||
| CVE-2026-24748 | 1 Akuity | 1 Kargo | 2026-02-25 | N/A | 7.2 HIGH |
| Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue. | |||||
| CVE-2024-47183 | 1 Parseplatform | 1 Parse-server | 2026-02-25 | N/A | 8.1 HIGH |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0. | |||||
| CVE-2026-25127 | 1 Open-emr | 1 Openemr | 2026-02-25 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue. | |||||
| CVE-2026-27607 | 1 Rustfs | 1 Rustfs | 2026-02-25 | N/A | 8.1 HIGH |
| RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue. | |||||
| CVE-2026-23982 | 1 Apache | 1 Superset | 2026-02-25 | N/A | 6.5 MEDIUM |
| An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to write datasets and read charts can bypass these checks by overwriting the SQL query of an existing dataset. This issue affects Apache Superset: before 6.0.0. Users are recommended to upgrade to version 6.0.0, which fixes the issue. | |||||
| CVE-2026-23989 | 1 Heinlein | 1 Opencloud Reva | 2026-02-24 | N/A | 8.2 HIGH |
| REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the "Reva" component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the "archiver" service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3. | |||||
| CVE-2026-24851 | 1 Openfga | 2 Helm Charts, Openfga | 2026-02-24 | N/A | 8.8 HIGH |
| OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3. | |||||
| CVE-2022-1223 | 1 Phpipam | 1 Phpipam | 2026-02-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| Incorrect Authorization in GitHub repository phpipam/phpipam prior to 1.4.6. | |||||
| CVE-2026-26316 | 1 Openclaw | 1 Openclaw | 2026-02-24 | N/A | 7.5 HIGH |
| OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopback (`127.0.0.1`, `::1`, `::ffff:127.0.0.1`) even when the configured webhook secret was missing or incorrect. This does not affect the default iMessage integration unless BlueBubbles is installed and enabled. Version 2026.2.13 contains a patch. Other mitigations include setting a non-empty BlueBubbles webhook password and avoiding deployments where a public-facing reverse proxy forwards to a loopback-bound Gateway without strong upstream authentication. | |||||
| CVE-2022-0762 | 1 Microweber | 1 Microweber | 2026-02-24 | 4.0 MEDIUM | 5.5 MEDIUM |
| Incorrect Authorization in GitHub repository microweber/microweber prior to 1.3. | |||||
| CVE-2022-0580 | 1 Librenms | 1 Librenms | 2026-02-24 | 6.5 MEDIUM | 7.1 HIGH |
| Incorrect Authorization in Packagist librenms/librenms prior to 22.2.0. | |||||
| CVE-2025-11581 | 1 Powerjob | 1 Powerjob | 2026-02-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| A security vulnerability has been detected in PowerJob up to 5.1.2. This vulnerability affects unknown code of the file /openApi/runJob of the component OpenAPIController. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | |||||
| CVE-2025-11580 | 1 Powerjob | 1 Powerjob | 2026-02-24 | 5.0 MEDIUM | 5.3 MEDIUM |
| A weakness has been identified in PowerJob up to 5.1.2. This affects the function list of the file /user/list. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2025-15390 | 1 Phpgurukul | 1 Small Crm | 2026-02-24 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2025-12925 | 1 Rymcu | 1 Forest | 2026-02-24 | 7.5 HIGH | 7.3 HIGH |
| A security flaw has been discovered in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. Impacted is the function getAll/addDic/getAllDic/deleteDic of the file src/main/java/com/rymcu/forest/lucene/api/UserDicController.java. The manipulation results in missing authorization. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | |||||
| CVE-2025-12924 | 1 Rymcu | 1 Forest | 2026-02-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was identified in rymcu forest up to de53ce79db9faa2efc4e79ce1077a302c42a1224. This issue affects the function GlobalResult of the file src/main/java/com/rymcu/forest/web/api/bank/BankController.java. The manipulation leads to missing authorization. The attack may be initiated remotely. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | |||||
| CVE-2020-7921 | 1 Mongodb | 1 Mongodb | 2026-02-23 | 3.5 LOW | 4.6 MEDIUM |
| Improper serialization of internal state in the authorization subsystem in MongoDB Server's authorization subsystem permits a user with valid credentials to bypass IP whitelisting protection mechanisms following administrative action. This issue affects MongoDB Server v4.2 versions prior to 4.2.3; MongoDB Server v4.0 versions prior to 4.0.15; MongoDB Server v4.3 versions prior to 4.3.3and MongoDB Server v3.6 versions prior to 3.6.18. | |||||
| CVE-2020-16904 | 1 Microsoft | 1 Azure Functions | 2026-02-23 | 7.5 HIGH | 5.3 MEDIUM |
| <p>An elevation of privilege vulnerability exists in the way Azure Functions validate access keys.</p> <p>An unauthenticated attacker who successfully exploited this vulnerability could invoke an HTTP Function without proper authorization.</p> <p>This security update addresses the vulnerability by correctly validating access keys used to access HTTP Functions.</p> | |||||
| CVE-2025-14318 | 1 M-files | 1 M-files Server | 2026-02-23 | N/A | 4.3 MEDIUM |
| Improper access checks in M-Files Server before 25.12.15491.7 allows users to download files through M-Files Web using Web Companion despite Print and Download Prevention module being enabled. | |||||