Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-40349 (GCVE-0-2026-40349)
Vulnerability from cvelistv5 – Published: 2026-04-18 00:05 – Updated: 2026-04-20 16:15
VLAI
Title
Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true
Summary
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/leepeuker/movary/security/advi… | x_refsource_CONFIRM |
| https://github.com/leepeuker/movary/pull/750 | x_refsource_MISC |
| https://github.com/leepeuker/movary/commit/12c8a0… | x_refsource_MISC |
| https://github.com/leepeuker/movary/releases/tag/0.71.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40349",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:10:42.542772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:15:49.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "movary",
"vendor": "leepeuker",
"versions": [
{
"status": "affected",
"version": "\u003c 0.71.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Movary is a self hosted web app to track and rate a user\u0027s watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-18T00:05:46.360Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-mcfq-8rx7-w25v"
},
{
"name": "https://github.com/leepeuker/movary/pull/750",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/pull/750"
},
{
"name": "https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/commit/12c8a090051b1a1c07a3aa48922f3bc9ffe44c8b"
},
{
"name": "https://github.com/leepeuker/movary/releases/tag/0.71.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/leepeuker/movary/releases/tag/0.71.1"
}
],
"source": {
"advisory": "GHSA-mcfq-8rx7-w25v",
"discovery": "UNKNOWN"
},
"title": "Authenticated Movary User Can Self-Escalate to Administrator via PUT /settings/users/{userId} by Setting isAdmin=true"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40349",
"datePublished": "2026-04-18T00:05:46.360Z",
"dateReserved": "2026-04-10T22:50:01.359Z",
"dateUpdated": "2026-04-20T16:15:49.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4038 (GCVE-0-2026-4038)
Vulnerability from cvelistv5 – Published: 2026-03-20 03:37 – Updated: 2026-04-08 17:16
VLAI
Title
Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call
Summary
The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the 'aiomatic_call_ai_function_realtime' function in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to call arbitrary WordPress functions such as 'update_option' to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodeRevolution | Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit |
Affected:
0 , ≤ 2.7.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T14:28:40.345871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T14:28:46.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot \u0026 Automation Toolkit",
"vendor": "CodeRevolution",
"versions": [
{
"lessThanOrEqual": "2.7.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hung Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privilege escalation due to a missing capability check on the \u0027aiomatic_call_ai_function_realtime\u0027 function in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to call arbitrary WordPress functions such as \u0027update_option\u0027 to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:16:49.699Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3e45a17-cb41-41ba-ab6c-c83202f0ecfd?source=cve"
},
{
"url": "https://codecanyon.net/item/aimogen-pro-allinone-ai-content-writer-editor-chatbot-automation-toolkit/38877369"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-12T13:27:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-19T15:13:07.000Z",
"value": "Disclosed"
}
],
"title": "Aimogen Pro \u003c= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4038",
"datePublished": "2026-03-20T03:37:02.014Z",
"dateReserved": "2026-03-12T06:33:24.393Z",
"dateUpdated": "2026-04-08T17:16:49.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40474 (GCVE-0-2026-40474)
Vulnerability from cvelistv5 – Published: 2026-04-17 21:39 – Updated: 2026-04-20 16:08
VLAI
Title
wger has Broken Access Control in the Global Gym Configuration Update Endpoint
Summary
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/wger-project/wger/security/adv… | x_refsource_CONFIRM |
| https://github.com/wger-project/wger/commit/47ee5… | x_refsource_MISC |
| https://github.com/wger-project/wger/releases/tag/2.5 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wger-project | wger |
Affected:
< 2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40474",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:07:54.509720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:08:12.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wger",
"vendor": "wger-project",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = \u0027config.change_gymconfig\u0027 but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments \u2014 a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T21:39:03.677Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wger-project/wger/security/advisories/GHSA-xppv-4jrx-qf8m"
},
{
"name": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wger-project/wger/commit/47ee5af93b3ced24b9f94b0a8b9296b50bc9523f"
},
{
"name": "https://github.com/wger-project/wger/releases/tag/2.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wger-project/wger/releases/tag/2.5"
}
],
"source": {
"advisory": "GHSA-xppv-4jrx-qf8m",
"discovery": "UNKNOWN"
},
"title": "wger has Broken Access Control in the Global Gym Configuration Update Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40474",
"datePublished": "2026-04-17T21:39:03.677Z",
"dateReserved": "2026-04-13T19:50:42.113Z",
"dateUpdated": "2026-04-20T16:08:12.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40480 (GCVE-0-2026-40480)
Vulnerability from cvelistv5 – Published: 2026-04-17 23:07 – Updated: 2026-04-20 16:16
VLAI
Title
ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`
Summary
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ChurchCRM/CRM/security/advisor… | x_refsource_CONFIRM |
| https://github.com/ChurchCRM/CRM/issues/8617 | x_refsource_MISC |
| https://github.com/ChurchCRM/CRM/pull/8616 | x_refsource_MISC |
| https://github.com/ChurchCRM/CRM/commit/28ea7a296… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40480",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T16:15:56.128986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T16:16:00.433Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CRM",
"vendor": "ChurchCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members\u0027 records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T23:07:30.126Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5w59-32c8-933v"
},
{
"name": "https://github.com/ChurchCRM/CRM/issues/8617",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChurchCRM/CRM/issues/8617"
},
{
"name": "https://github.com/ChurchCRM/CRM/pull/8616",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChurchCRM/CRM/pull/8616"
},
{
"name": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ChurchCRM/CRM/commit/28ea7a2965fc2fe30e150fadb1ae38a97f8225c2"
}
],
"source": {
"advisory": "GHSA-5w59-32c8-933v",
"discovery": "UNKNOWN"
},
"title": "ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40480",
"datePublished": "2026-04-17T23:07:30.126Z",
"dateReserved": "2026-04-13T19:50:42.114Z",
"dateUpdated": "2026-04-20T16:16:00.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40502 (GCVE-0-2026-40502)
Vulnerability from cvelistv5 – Published: 2026-04-16 00:08 – Updated: 2026-04-16 14:19
VLAI
Title
OpenHarness Remote Administrative Command Injection via Gateway Handler
Summary
OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/HKUDS/OpenHarness/pull/127 | issue-tracking |
| https://github.com/HKUDS/OpenHarness/commit/dd1d2… | patch |
| https://www.vulncheck.com/advisories/openharness-… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HKUDS | OpenHarness |
Affected:
0 , < dd1d235450dd987b20bff01b7bfb02fe8620a0af
(git)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T14:17:24.435663Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T14:19:24.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenHarness",
"repo": "https://github.com/HKUDS/OpenHarness",
"vendor": "HKUDS",
"versions": [
{
"lessThan": "dd1d235450dd987b20bff01b7bfb02fe8620a0af",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chia Min Jun Lennon"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization.\u003cbr\u003e"
}
],
"value": "OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can execute administrative commands such as /permissions full_auto through remote chat sessions to change permission modes of a running OpenHarness instance without operator authorization."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T00:10:11.020Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/HKUDS/OpenHarness/pull/127"
},
{
"tags": [
"patch"
],
"url": "https://github.com/HKUDS/OpenHarness/commit/dd1d235450dd987b20bff01b7bfb02fe8620a0af"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openharness-remote-administrative-command-injection-via-gateway-handler"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "OpenHarness Remote Administrative Command Injection via Gateway Handler",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-40502",
"datePublished": "2026-04-16T00:08:34.463Z",
"dateReserved": "2026-04-13T20:29:02.808Z",
"dateUpdated": "2026-04-16T14:19:24.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40543 (GCVE-0-2026-40543)
Vulnerability from cvelistv5 – Published: 2026-06-01 09:03 – Updated: 2026-06-01 13:07
VLAI
Title
Missing Authorization in SOPlanning
Summary
SOPlanning does not enforce authorization for backup functionalities. An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information.
This issue affects SOPlanning version 1.55 and below.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2026/06/CVE-2026-40543 | third-party-advisory |
| https://www.soplanning.org/en/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SOPlanning | SOPlanning |
Affected:
0 , ≤ 1.55
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40543",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T13:07:38.487496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T13:07:52.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SOPlanning",
"vendor": "SOPlanning",
"versions": [
{
"lessThanOrEqual": "1.55",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\u0141ukasz Jaworski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SOPlanning does not enforce authorization for backup functionalities.\u0026nbsp;An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the \u003ci\u003econfig.csv\u003c/i\u003e file, which includes additional sensitive information.\u003cbr\u003e\u003cbr\u003eThis issue affects SOPlanning version 1.55 and below.\u003cbr\u003e"
}
],
"value": "SOPlanning does not enforce authorization for backup functionalities.\u00a0An unauthenticated attacker can directly query backup-related endpoints and retrieve backup archives containing user databases with usernames and password hashes, as well as the config.csv file, which includes additional sensitive information.\n\nThis issue affects SOPlanning version 1.55 and below."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T09:03:44.790Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2026/06/CVE-2026-40543"
},
{
"tags": [
"product"
],
"url": "https://www.soplanning.org/en/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Missing Authorization in SOPlanning",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-40543",
"datePublished": "2026-06-01T09:03:44.790Z",
"dateReserved": "2026-04-14T09:44:27.613Z",
"dateUpdated": "2026-06-01T13:07:52.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4056 (GCVE-0-2026-4056)
Vulnerability from cvelistv5 – Published: 2026-03-23 23:25 – Updated: 2026-04-08 17:02
VLAI
Title
User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Content Access Rule Manipulation
Summary
The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpeverest | User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder |
Affected:
0 , ≤ 5.1.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T19:20:55.886633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T19:21:07.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Registration \u0026 Membership \u2013 Free \u0026 Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration \u0026 Login Builder",
"vendor": "wpeverest",
"versions": [
{
"lessThanOrEqual": "5.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "darkestmode"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Registration \u0026 Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:32.146Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bb5a5a2-9644-4850-a5f9-7c925af000c8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.1/modules/content-restriction/includes/RestApi/controllers/version1/class-urcr-content-access-rules.php#L116"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-registration/trunk/modules/content-restriction/includes/RestApi/controllers/version1/class-urcr-content-access-rules.php#L116"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3485702/user-registration/trunk/modules/content-restriction/includes/RestApi/controllers/version1/class-urcr-content-access-rules.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-12T16:42:35.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-23T11:24:15.000Z",
"value": "Disclosed"
}
],
"title": "User Registration \u0026 Membership \u003c= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Content Access Rule Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4056",
"datePublished": "2026-03-23T23:25:49.917Z",
"dateReserved": "2026-03-12T16:26:32.690Z",
"dateUpdated": "2026-04-08T17:02:32.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4057 (GCVE-0-2026-4057)
Vulnerability from cvelistv5 – Published: 2026-04-10 01:24 – Updated: 2026-04-13 15:15
VLAI
Title
Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal
Summary
The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codename065 | Download Manager |
Affected:
0 , ≤ 3.3.51
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:08:27.082338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:15:09.337Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Download Manager",
"vendor": "codename065",
"versions": [
{
"lessThanOrEqual": "3.3.51",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Or Benit"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can(\u0027edit_post\u0027, $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T01:24:58.764Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6b02846-61be-4571-921d-53df5493f856?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L257"
},
{
"url": "https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L237"
},
{
"url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L257"
},
{
"url": "https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L237"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3492316/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fdownload-manager/tags/3.3.51\u0026new_path=%2Fdownload-manager/tags/3.3.52"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-12T17:09:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-09T12:00:41.000Z",
"value": "Disclosed"
}
],
"title": "Download Manager \u003c= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4057",
"datePublished": "2026-04-10T01:24:58.764Z",
"dateReserved": "2026-03-12T16:54:21.437Z",
"dateUpdated": "2026-04-13T15:15:09.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40570 (GCVE-0-2026-40570)
Vulnerability from cvelistv5 – Published: 2026-04-21 16:48 – Updated: 2026-04-21 19:11
VLAI
Title
FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII
Summary
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/… | x_refsource_CONFIRM |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
| https://github.com/freescout-help-desk/freescout/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| freescout-help-desk | freescout |
Affected:
< 1.8.213
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40570",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:11:31.685464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:11:51.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w77q-wjfp-c822"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "freescout",
"vendor": "freescout-help-desk",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.213"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T16:48:08.260Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w77q-wjfp-c822",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w77q-wjfp-c822"
},
{
"name": "https://github.com/freescout-help-desk/freescout/commit/f35b4249c72d9bdac6ab1ea4e288f5894be34057",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/commit/f35b4249c72d9bdac6ab1ea4e288f5894be34057"
},
{
"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"
}
],
"source": {
"advisory": "GHSA-w77q-wjfp-c822",
"discovery": "UNKNOWN"
},
"title": "FreeScout\u0027s Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40570",
"datePublished": "2026-04-21T16:48:08.260Z",
"dateReserved": "2026-04-14T13:24:29.474Z",
"dateUpdated": "2026-04-21T19:11:51.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40571 (GCVE-0-2026-40571)
Vulnerability from cvelistv5 – Published: 2026-06-02 16:44 – Updated: 2026-06-03 13:50
VLAI
Title
NamelessMC: Reactions on private or blocking profile posts can be modified without proper authorization
Summary
NamelessMC is website software for Minecraft servers. In version 2.2.4, `core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 contains a patch.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/NamelessMC/Nameless/security/a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NamelessMC | Nameless |
Affected:
= 2.2.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40571",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:50:29.871260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:50:57.992Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-47hr-jj6c-rqf9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Nameless",
"vendor": "NamelessMC",
"versions": [
{
"status": "affected",
"version": "= 2.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NamelessMC is website software for Minecraft servers. In version 2.2.4, `core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T16:44:14.286Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-47hr-jj6c-rqf9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NamelessMC/Nameless/security/advisories/GHSA-47hr-jj6c-rqf9"
}
],
"source": {
"advisory": "GHSA-47hr-jj6c-rqf9",
"discovery": "UNKNOWN"
},
"title": "NamelessMC: Reactions on private or blocking profile posts can be modified without proper authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40571",
"datePublished": "2026-06-02T16:44:14.286Z",
"dateReserved": "2026-04-14T13:24:29.474Z",
"dateUpdated": "2026-06-03T13:50:57.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.