Total
2925 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-26067 | 2026-04-22 | N/A | 4.9 MEDIUM | ||
| October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even with cms.safe_mode enabled. This vulnerability is fixed in 3.7.14 and 4.1.10. | |||||
| CVE-2026-26274 | 2026-04-22 | N/A | 6.6 MEDIUM | ||
| October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10. | |||||
| CVE-2026-29179 | 2026-04-22 | N/A | 3.3 LOW | ||
| October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16. | |||||
| CVE-2026-40291 | 1 Chamilo | 1 Chamilo Lms | 2026-04-22 | N/A | 8.8 HIGH |
| Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3. | |||||
| CVE-2026-33031 | 1 Nginxui | 1 Nginx Ui | 2026-04-22 | N/A | 8.1 HIGH |
| Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue. | |||||
| CVE-2026-33461 | 1 Elastic | 1 Kibana | 2026-04-22 | N/A | 7.7 HIGH |
| Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. | |||||
| CVE-2026-27447 | 1 Openprinting | 1 Cups | 2026-04-22 | N/A | 4.8 MEDIUM |
| OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches. | |||||
| CVE-2026-0562 | 1 Lollms | 1 Lollms | 2026-04-22 | N/A | 8.3 HIGH |
| A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0. | |||||
| CVE-2026-33460 | 1 Elastic | 1 Kibana | 2026-04-21 | N/A | 4.3 MEDIUM |
| Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. | |||||
| CVE-2026-5384 | 1 Runzero | 1 Runzero Platform | 2026-04-21 | N/A | 5.8 MEDIUM |
| An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform. | |||||
| CVE-2026-5383 | 1 Runzero | 1 Runzero Platform | 2026-04-21 | N/A | 4.4 MEDIUM |
| An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer. | |||||
| CVE-2026-5382 | 1 Runzero | 1 Runzero Platform | 2026-04-21 | N/A | 3.0 LOW |
| An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform. | |||||
| CVE-2026-5381 | 1 Runzero | 1 Runzero Platform | 2026-04-21 | N/A | 2.2 LOW |
| An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform. | |||||
| CVE-2026-5380 | 1 Runzero | 1 Runzero Platform | 2026-04-21 | N/A | 5.3 MEDIUM |
| An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform. | |||||
| CVE-2026-5379 | 1 Runzero | 1 Runzero Platform | 2026-04-21 | N/A | 3.0 LOW |
| An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | |||||
| CVE-2026-5378 | 1 Runzero | 1 Runzero Platform | 2026-04-21 | N/A | 5.8 MEDIUM |
| An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N (5.8 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | |||||
| CVE-2026-5374 | 1 Runzero | 1 Runzero Platform | 2026-04-21 | N/A | 5.8 MEDIUM |
| An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform. | |||||
| CVE-2026-32228 | 1 Apache | 1 Airflow | 2026-04-21 | N/A | 7.5 HIGH |
| UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue. | |||||
| CVE-2025-68153 | 1 Canonical | 1 Juju | 2026-04-21 | N/A | 6.5 MEDIUM |
| Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This issue has been patched in versions 2.9.56 and 3.6.19. | |||||
| CVE-2025-68152 | 1 Canonical | 1 Juju | 2026-04-21 | N/A | 4.9 MEDIUM |
| Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, it is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. This issue has been patched in versions 2.9.56 and 3.6.19. | |||||