|
2331
|
6.4 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CM…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-7890
|
2026-05-23 04:12 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2332
|
7.5 |
HIGH
Network
|
dell
|
elastic_cloud_storage
|
Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. A remote unauthenticated attacker may potentially exploit this vulnerability, le…
|
CWE-284
Improper Access Control
|
CVE-2022-31231
|
2026-05-23 04:10 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2333
|
5.0 |
MEDIUM
Network
|
devolutions
|
devolutions_server
|
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a craft…
|
CWE-601
Open Redirect
|
CVE-2026-9245
|
2026-05-23 04:05 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2334
|
4.3 |
MEDIUM
Network
|
devolutions
|
devolutions_server
|
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of s…
|
CWE-862
Missing Authorization
|
CVE-2026-9246
|
2026-05-23 04:04 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2335
|
2.4 |
LOW
Network
|
devolutions
|
devolutions_server
|
Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to admi…
|
CWE-778
Insufficient Logging
|
CVE-2026-9247
|
2026-05-23 04:03 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2336
|
2.6 |
LOW
Network
|
devolutions
|
devolutions_server
|
Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-9248
|
2026-05-23 04:02 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2337
|
3.1 |
LOW
Network
|
devolutions
|
devolutions_server
|
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.
This issue affects :
* D…
|
CWE-620
Unverified Password Change
|
CVE-2026-9249
|
2026-05-23 04:01 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2338
|
4.3 |
MEDIUM
Network
|
devolutions
|
devolutions_server
|
Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request.
This is…
|
CWE-862
Missing Authorization
|
CVE-2026-9224
|
2026-05-23 03:58 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2339
|
4.3 |
MEDIUM
Network
|
devolutions
|
devolutions_server
|
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
|
CWE-284
Improper Access Control
|
CVE-2026-9223
|
2026-05-23 03:57 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2340
|
7.6 |
HIGH
Network
|
devolutions
|
devolutions_server
|
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-fac…
|
CWE-305
Authentication Bypass by Primary Weakness
|
CVE-2026-9047
|
2026-05-23 03:55 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
