Filtered by vendor Go-shiori Subscriptions
Filtered by product Shiori Subscriptions
Total 2 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-61463 1 Go-shiori 1 Shiori 2026-07-13 8.8 High
Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtain an admin JWT token granting full system access.
CVE-2025-60538 1 Go-shiori 1 Shiori 2026-01-22 6.5 Medium
A lack of rate limiting in the login page of shiori v1.7.4 and below allows attackers to bypass authentication via a brute force attack.