CVE-2026-11837: local privilege escalation in the ansible.posix authorized_key module via symlink-following chown. Technical writeup; sibling of CVE-2024-9902.
pocexploit
CVE-2026-11837: local privilege escalation in the ansible.posix authorized_key module via symlink-following chown. Technical writeup; sibling of CVE-2024-9902.
Demonstrate local privilege escalation in networkd-dispatcher via CVE-2022-29799 and CVE-2022-29800 using this C proof of concept.
### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation. ### Patches Patched in https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18
### Impact A user who can edit other users could reset a superadmin's 2FA. ### Patches Patched in 8.5.0
### Impact The CSV user import in update mode bypasses user-edit authorization. A user with only the `import` permission can overwrite any non-admin user's email by uploading a CSV, then trigger a password reset to take over the account. `UserImporter.php` checks the `canEditAuthFields` gate and tries to strip auth fields from the model: ```php // app/Importer/UserImporter.php:107-114 if (Auth::check() && (! Gate::allows('canEditAuthFields', $user))) { unset($user->username); unset($us
# Open Redirect in Flask-Security ## Summary `flask_security.utils.validate_redirect_url()` can allow an attacker-controlled redirect URL when subdomain redirects are enabled. The bypass uses a backslash inside the URL authority/host: ```text http://evil.com\.whitelist.com http://evil.com%5C.whitelist.com ``` Python's `urlsplit()` parses the full authority as `evil.com\.whitelist.com` or `evil.com%5C.whitelist.com`. Because the value ends with `.whitelist.com`, `validate_redirect_url()` acc
### Impact `POST /two-factor` had no rate limiting, lockout, or attempt counter. An attacker with valid credentials can submit unlimited TOTP guesses. The TOTP implementation accepts the current code plus one step on either side (`config/google2fa.php window=1`), so at any instant 3 of 1,000,000 codes are accepted. After a correct guess the attacker holds a fully authenticated session. If the instance is configured with 2FA in optional mode (`two_factor_enabled='1'`), the attacker can additiona
Missing Authorization in API CategoryController — CVE-2026-24421 fixed BackupController by adding userHasPermission(PermissionType::BACKUP). The same fix was NOT applied to 4 other write endpoints in the public API. All 4 only call hasValidToken() (shared API key) but never call userHasPermission(), allowing any API token holder to perform admin operations regardless of their user permissions. ## Summary CVE-2026-24421 fixed BackupController by adding: $this->userHasPermission(PermissionType
### Impact The vulnerability allows a non-admin user holding only the granular `users.edit` permission to lock every admin out of the instance by editing the `activated` flag (which determines whether or not a user can login) and the `ldap_import` flag, which determines whether or not the user can request a password reset. ### Patches Patched in https://github.com/grokability/snipe-it/commit/403f9c848b05274642f64450696bdcdc242a352a
## Summary If a symlink already exists under the `.terraform/providers` directory where a provider package needs to be installed, `tofu init` would follow that symlink and install the new package content into it. If an attacker can coerce an operator into running `tofu init` in a directory whose contents are attacker-controlled, they can include such a symlink along with instruction to install an attacker-controlled provider package at the path of that symlink, which would then cause OpenTofu
Any schema can contain a file upload form field, so Filament applies Livewire's `WithFileUploads` trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space
### Summary An unprivileged process can easily trigger the `processPIDEvents` goroutine to be blocked indefinitely, preventing the goroutine from analyzing any new ELF file. The goroutine stays blocked in the `openat2` syscall forever and the profiler can no longer work properly, it is a denial of service. ### Impact The impact is limited to denial-of-service on the ebpf-profiler agent: - There has to be a malicious workload albeit unprivileged. - No exfiltration of data. No loss of data. ##
### Impact A user with only users.edit AND api permissions can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except admin and superuser — for example `assets.view`, `assets.create`, `reports.view`, import, etc. ### Patches Patched in https://github.com/grokability/snipe-it/pull/19024
### Impact The GET /api/v1/{object}/selectlist API endpoint is missing an authorization check. Any user who can log into Snipe-IT - regardless of permissions - can retrieve a paginated list of all user accounts using only their web session cookie. No API token or elevated permissions are required. This exposes usernames, display names, employee numbers, and user IDs for every active account in the system if FMCS is not enabled, and within the company they belong to if FMCS is enabled. ### What
### Summary Attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). ### Details **Affected File** : `phpmyfaq/src/phpMyFAQ/Attachment/AbstractAttachment.php` <img width="810" height="427" alt="image" src="https://github.com/user-attachments/assets/6499a008-3ece-4291-8296-f1d3303ba35c" /> ### Impact - An attacker can generate SHA-1 collisions to bypass attachment protection - Risk of password
Fuzzing the Microsoft Windows DNS client library. Inspired by CVE-2026-41096.
The codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application.
The `ImageColumn` and `ImageEntry` components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plant malicious HTML or JavaScript and achieve stored XSS that executes for users who view the table or schema.
The login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an account exists for a given email.
### Impact If an application uses `HttpException::setTitle()` and/or `setDescription()` to include untrusted/request-derived data in the error title or description (e.g. `"No products found matching '{$query}'."`), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with `displayErrorDetails = false` as the unescaped title and description are rendered on this error p