|
3881
|
5.0 |
MEDIUM
Network
|
-
|
-
|
An authorization bypass (CWE-639) in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-7573
|
2026-05-7 23:56 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3882
|
- |
|
-
|
-
|
An authenticated (non-super) administrator can create a maintenance period with a JavaScript payload that is executed by any user that opens tooltip for that maintenance period in the Host navigator …
|
CWE-79
Cross-site Scripting
|
CVE-2026-23926
|
2026-05-7 23:56 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3883
|
- |
|
-
|
-
|
A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle datab…
|
CWE-522
Insufficiently Protected Credentials
|
CVE-2026-23927
|
2026-05-7 23:56 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3884
|
- |
|
-
|
-
|
The Item history widget (in Zabbix 7.0+) or the Plain text widget (in Zabbix 6.0) can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized acti…
|
CWE-79
Cross-site Scripting
|
CVE-2026-23928
|
2026-05-7 23:56 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3885
|
5.2 |
MEDIUM
Local
|
-
|
-
|
There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traver…
|
CWE-269
Improper Privilege Management
|
CVE-2026-40001
|
2026-05-7 23:56 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3886
|
6.3 |
MEDIUM
Local
|
-
|
-
|
A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent runs, can exploit a vulnerability in the Keylime verifier. The verifier uses a hard…
|
CWE-1241
Use of Predictable Algorithm in Random Number Generator
|
CVE-2026-6420
|
2026-05-7 23:56 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3887
|
6.8 |
MEDIUM
Network
|
-
|
-
|
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, hold…
|
CWE-863
Incorrect Authorization
|
CVE-2026-6863
|
2026-05-7 23:56 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3888
|
6.8 |
MEDIUM
Network
|
-
|
-
|
Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint (/modules/sso/index.php/oidc/introspect) always returns {"active": true} for every re…
|
CWE-287
Improper Authentication
|
CVE-2026-41671
|
2026-05-7 23:54 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3889
|
- |
|
-
|
-
|
A hidden console command is vulnerable to command injection
flaw when control characters are passed to its second argument.
A third party researcher Eugene Lim had discovered vulnerability
in the w…
|
CWE-88
Argument Injection
|
CVE-2026-7865
|
2026-05-7 23:53 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3890
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Apache::Session::Generate::ModUniqueId versions from 1.54 through 1.94 for Perl session ids are insecure.
Apache::Session::Generate::ModUniqueId (added in version 1.54) uses the value of the UNIQUE_…
|
CWE-340
Generation of Predictable Numbers or Identifiers
|
CVE-2026-5081
|
2026-05-7 23:52 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
