VYPR

Cerebrate

by Cerebrate Project

Source repositories

CVEs (11)

  • CVE-2025-66385CriNov 28, 2025
    risk 0.61cvss epss 0.00

    UsersController::edit in Cerebrate before 1.30 allows an authenticated non-privileged user to escalate their privileges (e.g., obtain a higher role such as admin) via the user-edit endpoint by supplying or modifying role_id or organisation_id fields in the edit request.

  • CVE-2026-53901HigJun 11, 2026
    risk 0.50cvss epss 0.00

    Cerebrate before version 1.37 contains a mass-assignment vulnerability in the generic CRUD add path. The add() handler attempted to remove an attacker-supplied id from $params before normalizing the request through __massageInput(). Because the normalized $input could still…

  • CVE-2026-53911MedJun 11, 2026
    risk 0.34cvss epss 0.00

    Cerebrate before version 1.37 allowed the id primary key field to be supplied through request input during CRUD edit operations and certain custom entity patching flows. In affected entities that did not explicitly mark id as inaccessible, an authenticated attacker could submit…

  • CVE-2026-53912MedJun 11, 2026
    risk 0.26cvss epss 0.00

    Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses,…

  • CVE-2023-41908Sep 5, 2023
    risk 0.00cvss epss 0.00

    Cerebrate before 1.15 lacks the Secure attribute for the session cookie.

  • CVE-2023-41363Aug 29, 2023
    risk 0.00cvss epss 0.00

    In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other users.

  • CVE-2023-28883Mar 27, 2023
    risk 0.00cvss epss 0.01

    In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.

  • CVE-2022-25318Feb 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Cerebrate through 1.4. An incorrect sharing group ACL allowed an unprivileged user to edit and modify sharing groups.

  • CVE-2022-25317Feb 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Cerebrate through 1.4. genericForm allows reflected XSS in form descriptions via a user-controlled description.

  • CVE-2022-25320Feb 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Cerebrate through 1.4. Username enumeration could occur.

  • CVE-2022-25319Feb 18, 2022
    risk 0.00cvss epss 0.01

    An issue was discovered in Cerebrate through 1.4. Endpoints could be open even when not enabled.