Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CVE-2026-1007 (GCVE-0-2026-1007)
Vulnerability from cvelistv5 – Published: 2026-01-19 14:32 – Updated: 2026-01-20 15:02
VLAI
Summary
Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Devolutions | Server |
Affected:
2025.3.1 , ≤ 2025.3.12
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-1007",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:59:01.092565Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:02:33.576Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Server",
"vendor": "Devolutions",
"versions": [
{
"lessThanOrEqual": "2025.3.12",
"status": "affected",
"version": "2025.3.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.\u003cp\u003eThis issue affects Server: from 2025.3.1 through 2025.3.12.\u003c/p\u003e"
}
],
"value": "Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules.This issue affects Server: from 2025.3.1 through 2025.3.12."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T14:32:06.163Z",
"orgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"shortName": "DEVOLUTIONS"
},
"references": [
{
"url": "https://devolutions.net/security/advisories/DEVO-2026-0003/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bfee16bd-18e6-446c-9a65-f5b2e3d89c23",
"assignerShortName": "DEVOLUTIONS",
"cveId": "CVE-2026-1007",
"datePublished": "2026-01-19T14:32:06.163Z",
"dateReserved": "2026-01-15T21:15:42.207Z",
"dateUpdated": "2026-01-20T15:02:33.576Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10211 (GCVE-0-2026-10211)
Vulnerability from cvelistv5 – Published: 2026-06-01 01:15 – Updated: 2026-06-01 14:58
VLAI
Title
AstrBotDevs AstrBot fs.py _normalize_rw_path authorization
Summary
A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function _normalize_rw_path of the file astrbot/core/tools/computer_tools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367490 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367490/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10211 | third-party-advisory |
| https://vuldb.com/submit/821921 | third-party-advisory |
| https://gist.github.com/YLChen-007/b5e4671ff68e4f… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AstrBotDevs | AstrBot |
Affected:
4.23.6
cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T14:58:10.598582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T14:58:16.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:astrbot:astrbot:*:*:*:*:*:*:*:*"
],
"product": "AstrBot",
"vendor": "AstrBotDevs",
"versions": [
{
"status": "affected",
"version": "4.23.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-a (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in AstrBotDevs AstrBot 4.23.6. Affected by this issue is the function _normalize_rw_path of the file astrbot/core/tools/computer_tools/fs.py. This manipulation causes incorrect authorization. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T01:15:09.789Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367490 | AstrBotDevs AstrBot fs.py _normalize_rw_path authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367490"
},
{
"name": "VDB-367490 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367490/cti"
},
{
"name": "CVE-2026-10211 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10211"
},
{
"name": "Submit #821921 | AstrBotDevs AstrBot 4.23.6 Incorrect Authorization (CWE-863)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/821921"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/b5e4671ff68e4f9001d977180ef4f081"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T09:19:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "AstrBotDevs AstrBot fs.py _normalize_rw_path authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10211",
"datePublished": "2026-06-01T01:15:09.789Z",
"dateReserved": "2026-05-31T07:14:05.629Z",
"dateUpdated": "2026-06-01T14:58:16.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10616 (GCVE-0-2026-10616)
Vulnerability from cvelistv5 – Published: 2026-06-02 18:30 – Updated: 2026-06-03 13:54
VLAI
Title
nextlevelbuilder GoClaw Team Task Completion team_tasks_lifecycle.go TeamTasksTool.executeComplete authorization
Summary
A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Executing a manipulation can lead to missing authorization. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367925 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367925/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10616 | third-party-advisory |
| https://vuldb.com/submit/829420 | third-party-advisory |
| https://github.com/nextlevelbuilder/goclaw/issues/1133 | exploitissue-tracking |
| https://github.com/nextlevelbuilder/goclaw/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextlevelbuilder | GoClaw |
Affected:
3.11.0
Affected: 3.11.1 Affected: 3.11.2 Affected: 3.11.3 cpe:2.3:a:nextlevelbuilder:goclaw:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10616",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:53:44.308285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T13:54:48.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:nextlevelbuilder:goclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"Team Task Completion Handler"
],
"product": "GoClaw",
"vendor": "nextlevelbuilder",
"versions": [
{
"status": "affected",
"version": "3.11.0"
},
{
"status": "affected",
"version": "3.11.1"
},
{
"status": "affected",
"version": "3.11.2"
},
{
"status": "affected",
"version": "3.11.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-h (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Executing a manipulation can lead to missing authorization. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T18:30:09.138Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367925 | nextlevelbuilder GoClaw Team Task Completion team_tasks_lifecycle.go TeamTasksTool.executeComplete authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367925"
},
{
"name": "VDB-367925 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367925/cti"
},
{
"name": "CVE-2026-10616 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10616"
},
{
"name": "Submit #829420 | nextlevelbuilder GoClaw \u003c= 3.11.3 Missing Authorization (CWE-862)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/829420"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/nextlevelbuilder/goclaw/issues/1133"
},
{
"tags": [
"product"
],
"url": "https://github.com/nextlevelbuilder/goclaw/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-02T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-02T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-02T15:54:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "nextlevelbuilder GoClaw Team Task Completion team_tasks_lifecycle.go TeamTasksTool.executeComplete authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10616",
"datePublished": "2026-06-02T18:30:09.138Z",
"dateReserved": "2026-06-02T13:49:13.400Z",
"dateUpdated": "2026-06-03T13:54:48.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10741 (GCVE-0-2026-10741)
Vulnerability from cvelistv5 – Published: 2026-06-17 19:01 – Updated: 2026-06-17 19:37
VLAI
Title
Nexus Repository Manager - Incorrect Authorization allows credential disclosure via proxy repository configuration
Summary
Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://help.sonatype.com/en/sonatype-nexus-repos… | patch |
| https://support.sonatype.com/hc/en-us/articles/52… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Sonatype | Nexus Repository Manager |
Affected:
3.1.0 , < 3.93.0
(semver)
cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.68.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.69.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.4:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.70.5:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.71.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.72.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.73.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.74.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.75.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.75.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.76.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.76.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.77.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.78.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.78.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.79.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.80.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.81.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.82.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.83.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.83.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.83.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.84.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.84.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.84.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.85.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.85.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.86.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.86.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.86.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.87.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.87.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.87.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.89.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.89.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.90.3:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.91.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.91.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.92.0:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.92.1:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.92.2:*:*:*:*:*:*:* cpe:2.3:a:sonatype:nexus_repository_manager:3.92.3:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T19:37:05.347645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T19:37:16.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sonatype:nexus_repository_manager:3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.2.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.3.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.4.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.6.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.7.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.9.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.12.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.12.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.13.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.14.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.15.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.16.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.17.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.18.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.18.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.19.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.19.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.20.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.20.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.21.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.22.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.22.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.23.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.24.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.25.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.25.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.26.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.26.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.27.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.28.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.28.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.29.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.29.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.30.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.30.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.31.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.31.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.32.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.32.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.33.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.33.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.34.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.34.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.35.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.36.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.37.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.38.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.38.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.39.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.40.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.40.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.41.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.41.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.42.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.43.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.44.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.45.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.45.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.46.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.47.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.47.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.48.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.49.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.50.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.51.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.52.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.53.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.53.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.54.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.54.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.55.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.56.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.57.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.57.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.58.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.58.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.59.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.60.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.61.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.62.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.63.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.64.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.65.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.66.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.67.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.67.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.68.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.68.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.69.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.4:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.70.5:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.71.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.72.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.73.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.74.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.75.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.75.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.76.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.76.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.77.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.78.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.78.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.79.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.80.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.81.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.82.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.83.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.84.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.84.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.84.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.85.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.85.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.86.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.86.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.86.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.87.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.87.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.87.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.88.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.89.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.89.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.90.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.90.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.90.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.90.3:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.91.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.91.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.92.0:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.92.1:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.92.2:*:*:*:*:*:*:*",
"cpe:2.3:a:sonatype:nexus_repository_manager:3.92.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Nexus Repository Manager",
"vendor": "Sonatype",
"versions": [
{
"lessThan": "3.93.0",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ho Boon Suan"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials."
}
],
"value": "Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T19:01:13.173Z",
"orgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"shortName": "Sonatype"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://help.sonatype.com/en/sonatype-nexus-repository-3-93-0-release-notes.html"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://support.sonatype.com/hc/en-us/articles/52341191736851"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Nexus Repository Manager - Incorrect Authorization allows credential disclosure via proxy repository configuration",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "103e4ec9-0a87-450b-af77-479448ddef11",
"assignerShortName": "Sonatype",
"cveId": "CVE-2026-10741",
"datePublished": "2026-06-17T19:01:13.173Z",
"dateReserved": "2026-06-03T13:22:08.536Z",
"dateUpdated": "2026-06-17T19:37:16.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10815 (GCVE-0-2026-10815)
Vulnerability from cvelistv5 – Published: 2026-06-04 15:30 – Updated: 2026-06-04 15:56
VLAI
Title
LakshayD02 Hostel-Management-System-PHP Admin Dashboard index.php authorization
Summary
A vulnerability was found in LakshayD02 Hostel-Management-System-PHP up to f87e67c283bab6f718faf2fec6ae39a13bd7036b. This issue affects some unknown processing of the file hostel/index.php of the component Admin Dashboard Page. The manipulation of the argument ID results in missing authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/368263 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/368263/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10815 | third-party-advisory |
| https://vuldb.com/submit/831780 | third-party-advisory |
| https://github.com/LakshayD02/Hostel-Management-S… | exploitissue-tracking |
| https://github.com/LakshayD02/Hostel-Management-S… | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| LakshayD02 | Hostel-Management-System-PHP |
Affected:
f87e67c283bab6f718faf2fec6ae39a13bd7036b
cpe:2.3:a:lakshayd02:hostel-management-system-php:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10815",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T15:55:04.296223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T15:56:30.145Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:lakshayd02:hostel-management-system-php:*:*:*:*:*:*:*:*"
],
"modules": [
"Admin Dashboard Page"
],
"product": "Hostel-Management-System-PHP",
"vendor": "LakshayD02",
"versions": [
{
"status": "affected",
"version": "f87e67c283bab6f718faf2fec6ae39a13bd7036b"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xady (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in LakshayD02 Hostel-Management-System-PHP up to f87e67c283bab6f718faf2fec6ae39a13bd7036b. This issue affects some unknown processing of the file hostel/index.php of the component Admin Dashboard Page. The manipulation of the argument ID results in missing authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T15:30:10.133Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-368263 | LakshayD02 Hostel-Management-System-PHP Admin Dashboard index.php authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/368263"
},
{
"name": "VDB-368263 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/368263/cti"
},
{
"name": "CVE-2026-10815 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10815"
},
{
"name": "Submit #831780 | LakshayD02 GitHub Hostel Management System PHP f87e67c283bab6f718faf2fec6ae39a13bd7036b Improper Authorization",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/831780"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/LakshayD02/Hostel-Management-System-PHP/issues/1"
},
{
"tags": [
"product"
],
"url": "https://github.com/LakshayD02/Hostel-Management-System-PHP/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-04T07:51:25.000Z",
"value": "VulDB entry last update"
}
],
"title": "LakshayD02 Hostel-Management-System-PHP Admin Dashboard index.php authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10815",
"datePublished": "2026-06-04T15:30:10.133Z",
"dateReserved": "2026-06-04T05:46:21.294Z",
"dateUpdated": "2026-06-04T15:56:30.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10860 (GCVE-0-2026-10860)
Vulnerability from cvelistv5 – Published: 2026-06-04 13:34 – Updated: 2026-06-11 13:24
VLAI
Title
MISP CRUDComponent delete validation bypass via operator precedence error
Summary
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null && POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/commit/a5877559dc88a… | patch |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T17:12:22.589498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T17:16:34.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "misp",
"vendor": "misp",
"versions": [
{
"lessThanOrEqual": "2.5.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jeroen Pinoy"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Andras Iklody"
},
{
"lang": "en",
"type": "finder",
"value": "Fase Rais Baradika"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as \u003ccode\u003e($validationError === null \u0026amp;\u0026amp; POST) || DELETE\u003c/code\u003e, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks."
}
],
"value": "A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as ($validationError === null \u0026\u0026 POST) || DELETE, meaning a DELETE request could proceed even when the delete validation callback had rejected the operation. An authenticated attacker with access to an affected delete endpoint could abuse this flaw to delete records that should have been protected by application-level validation or authorization checks."
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
},
{
"capecId": "CAPEC-87",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-87 Forceful Browsing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.9,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T13:24:54.103Z",
"orgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"shortName": "CIRCL"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/MISP/MISP/commit/a5877559dc88ad7a0c935910a652c130489ae2bd"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "MISP CRUDComponent delete validation bypass via operator precedence error",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5a6e4751-2f3f-4070-9419-94fb35b644e8",
"assignerShortName": "CIRCL",
"cveId": "CVE-2026-10860",
"datePublished": "2026-06-04T13:34:27.444Z",
"dateReserved": "2026-06-04T13:25:04.022Z",
"dateUpdated": "2026-06-11T13:24:54.103Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11379 (GCVE-0-2026-11379)
Vulnerability from cvelistv5 – Published: 2026-06-25 04:33 – Updated: 2026-06-25 13:11
VLAI
Title
Incorrect Authorization in GitLab
Summary
GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11379",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T13:10:02.747596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:11:32.968Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "18.11.6",
"status": "affected",
"version": "13.11",
"versionType": "semver"
},
{
"lessThan": "19.0.3",
"status": "affected",
"version": "19.0",
"versionType": "semver"
},
{
"lessThan": "19.1.1",
"status": "affected",
"version": "19.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This vulnerability has been discovered internally by GitLab team member David Nelson"
}
],
"descriptions": [
{
"lang": "en",
"value": "GitLab has remediated an issue in GitLab EE affecting all versions from 13.11 prior to 18.11.6, 19.0 prior to 19.0.3, and 19.1 prior to 19.1.1 in which incorrect authorization in DAST site profile management could allow a user with Developer role to exfiltrate DAST site profile secrets under certain conditions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T04:33:49.041Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/517659"
},
{
"url": "https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-1-released/"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 18.11.6, 19.0.3, 19.1.1 or above."
}
],
"title": "Incorrect Authorization in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2026-11379",
"datePublished": "2026-06-25T04:33:49.041Z",
"dateReserved": "2026-06-05T12:50:38.119Z",
"dateUpdated": "2026-06-25T13:11:32.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11577 (GCVE-0-2026-11577)
Vulnerability from cvelistv5 – Published: 2026-06-08 11:44 – Updated: 2026-06-16 07:32
VLAI
Title
Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass
Summary
A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://access.redhat.com/security/cve/CVE-2026-11577 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2459993 | issue-trackingx_refsource_REDHAT |
| https://github.com/keycloak/keycloak/issues/9387 |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak |
cpe:/a:redhat:build_keycloak: |
|
| Red Hat | Red Hat Data Grid 8 |
cpe:/a:redhat:jboss_data_grid:8 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform 8 |
cpe:/a:redhat:jboss_enterprise_application_platform:8 |
|
| Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack |
cpe:/a:redhat:jbosseapxp |
|
| Red Hat | Red Hat Single Sign-On 7 |
cpe:/a:redhat:red_hat_single_sign_on:7 |
Date Public
2026-06-08 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11577",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T18:38:26.079653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T18:38:42.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/keycloak/keycloak/issues/9387"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected",
"packageName": "keycloak-services",
"product": "Red Hat Build of Keycloak",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:jboss_data_grid:8"
],
"defaultStatus": "unaffected",
"packageName": "keycloak-services",
"product": "Red Hat Data Grid 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "unaffected",
"packageName": "keycloak-services",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "unaffected",
"packageName": "keycloak-services",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "unknown",
"packageName": "keycloak-services",
"product": "Red Hat Single Sign-On 7",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Andrii Ilin (10Guards) for reporting this issue."
}
],
"datePublic": "2026-06-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm administrator by importing users with realm-admin role mappings."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T07:32:45.088Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-11577"
},
{
"name": "RHBZ#2459993",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459993"
},
{
"url": "https://github.com/keycloak/keycloak/issues/9387"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-18T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-08T00:00:00.000Z",
"value": "Made public."
}
],
"title": "Keycloak: keycloak: privilege escalation via partialimport fgap permission bypass",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-863: Incorrect Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-11577",
"datePublished": "2026-06-08T11:44:41.892Z",
"dateReserved": "2026-06-08T11:34:22.437Z",
"dateUpdated": "2026-06-16T07:32:45.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12797 (GCVE-0-2026-12797)
Vulnerability from cvelistv5 – Published: 2026-06-21 09:15 – Updated: 2026-06-22 13:35
VLAI
Title
BerriAI litellm Completions banned_keywords.py async_pre_call_hook authorization
Summary
A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/372559 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/372559/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12797 | third-party-advisory |
| https://vuldb.com/submit/811288 | third-party-advisory |
| https://gist.github.com/YLChen-007/078179224f07cc… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12797",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T13:35:34.363730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T13:35:44.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*"
],
"modules": [
"Completions Interface"
],
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "1.82.0"
},
{
"status": "affected",
"version": "1.82.1"
},
{
"status": "affected",
"version": "1.82.2"
},
{
"status": "affected",
"version": "1.82.3"
},
{
"status": "affected",
"version": "1.82.4"
},
{
"status": "affected",
"version": "1.82.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-c (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function async_pre_call_hook of the file enterprise/enterprise_hooks/banned_keywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-21T09:15:08.592Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-372559 | BerriAI litellm Completions banned_keywords.py async_pre_call_hook authorization",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/372559"
},
{
"name": "VDB-372559 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/372559/cti"
},
{
"name": "CVE-2026-12797 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12797"
},
{
"name": "Submit #811288 | litellm \u003c= 1.82.5 Incorrect Authorization (CWE-863)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/811288"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/078179224f07cc4e39e4f141a18c817a"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-20T19:17:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "BerriAI litellm Completions banned_keywords.py async_pre_call_hook authorization"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12797",
"datePublished": "2026-06-21T09:15:08.592Z",
"dateReserved": "2026-06-20T17:12:18.055Z",
"dateUpdated": "2026-06-22T13:35:44.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1471 (GCVE-0-2026-1471)
Vulnerability from cvelistv5 – Published: 2026-03-11 16:30 – Updated: 2026-03-11 20:09
VLAI
Title
Caching of authentication context
Summary
Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO (UserInfo endpoint).
We recommend upgrading to versions 2026.01.4 (or 5.26.22) where the issue is fixed.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://neo4j.com/security/CVE-2026-1471 | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Neo4j | Enterprise edition |
Affected:
2025.01 , < 2026.01.4
(date)
Affected: 4.4.0 , < 5.26.22 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T20:08:47.580869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T20:09:18.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Enterprise edition",
"vendor": "Neo4j",
"versions": [
{
"lessThan": "2026.01.4",
"status": "affected",
"version": "2025.01",
"versionType": "date"
},
{
"lessThan": "5.26.22",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2026.01.4",
"versionStartIncluding": "2025.01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:neo4j:enterprise_edition:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.26.22",
"versionStartIncluding": "4.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO (UserInfo endpoint).\u0026nbsp;\u003cbr\u003eWe recommend upgrading to versions 2026.01.4 (or 5.26.22) where the issue is fixed.\u0026nbsp;"
}
],
"value": "Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.01.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO (UserInfo endpoint).\u00a0\nWe recommend upgrading to versions 2026.01.4 (or 5.26.22) where the issue is fixed."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T16:30:24.053Z",
"orgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6",
"shortName": "Neo4j"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://neo4j.com/security/CVE-2026-1471"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Caching of authentication context",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eSet dbms.security.oidc.\u0026lt;provider\u0026gt;.get_groups_from_user_info\u003c/code\u003e and\u0026nbsp;\u003ccode\u003edbms.security.oidc.\u0026lt;provider\u0026gt;.get_username_from_user_info to false.\u003c/code\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Set dbms.security.oidc.\u003cprovider\u003e.get_groups_from_user_info and\u00a0dbms.security.oidc.\u003cprovider\u003e.get_username_from_user_info to false."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6",
"assignerShortName": "Neo4j",
"cveId": "CVE-2026-1471",
"datePublished": "2026-03-11T16:30:24.053Z",
"dateReserved": "2026-01-27T09:09:22.753Z",
"dateUpdated": "2026-03-11T20:09:18.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Phase: Architecture and Design
Description:
- Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation ID: MIT-4.4
Phase: Architecture and Design
Strategy: Libraries or Frameworks
Description:
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Phase: Architecture and Design
Description:
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Phases: System Configuration, Installation
Description:
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.