|
5121
|
4.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-8347
|
2026-05-23 04:16 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5122
|
6.5 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4…
|
CWE-352
CWE-1275
Origin Validation Error
Sensitive Cookie with Improper SameSite Attribute
|
CVE-2026-8435
|
2026-05-23 04:15 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5123
|
6.7 |
MEDIUM
Local
|
dell
|
smartfabric_storage_software
|
Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A high privileged attacker w…
|
CWE-77
Command Injection
|
CVE-2026-35070
|
2026-05-23 04:14 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5124
|
6.4 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CM…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-7890
|
2026-05-23 04:12 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5125
|
7.5 |
HIGH
Network
|
dell
|
elastic_cloud_storage
|
Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. A remote unauthenticated attacker may potentially exploit this vulnerability, le…
|
CWE-284
Improper Access Control
|
CVE-2022-31231
|
2026-05-23 04:10 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5126
|
5.0 |
MEDIUM
Network
|
devolutions
|
devolutions_server
|
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a craft…
|
CWE-601
Open Redirect
|
CVE-2026-9245
|
2026-05-23 04:05 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5127
|
4.3 |
MEDIUM
Network
|
devolutions
|
devolutions_server
|
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of s…
|
CWE-862
Missing Authorization
|
CVE-2026-9246
|
2026-05-23 04:04 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5128
|
2.4 |
LOW
Network
|
devolutions
|
devolutions_server
|
Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to admi…
|
CWE-778
Insufficient Logging
|
CVE-2026-9247
|
2026-05-23 04:03 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5129
|
2.6 |
LOW
Network
|
devolutions
|
devolutions_server
|
Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-9248
|
2026-05-23 04:02 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5130
|
3.1 |
LOW
Network
|
devolutions
|
devolutions_server
|
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request.
This issue affects :
* D…
|
CWE-620
Unverified Password Change
|
CVE-2026-9249
|
2026-05-23 04:01 |
2026-05-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
