Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=t
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use th
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets throug
Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authent
Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpo
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isA
CVE-2020-36892
CRITICAL CVSS 9.3
Find Similar
Eibiz i-Media Server Digital Signage 3.8.0 contains an unauthenticated privilege escalation vulnerability in the updateUser object that allows attackers to modify user roles. Attackers can exploit the
A vulnerability was found in Zenvia Movidesk up to 25.01.22. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /Account/EditProfile of the component Pr
Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers
Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user (including `BASIC` role) can escalate to `ADMIN` on servers migrated from password authentication to Open
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser() and updateUserRights() endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users
OneUptime is a solution for monitoring and managing online services. Prior to version 8.0.5567, OneUptime is vulnerable to privilege escalation via Login Response Manipulation. During the login proces
A security vulnerability has been detected in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controlle
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authen
OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member c
An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users' information, including username and password, via a crafted POST request sent to the endpoint /User/Ch
SOPlanning is vulnerable to Privilege Escalation in user management tab. Users with user_manage_team role are allowed to modify permissions of users. However, they are able to assign administrative pe
An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an es
CVE-2026-23837
CRITICAL CVSS 9.8
Find Similar
MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandator
Page 1+ Next →