Aggregates CVE and security vulnerability intelligence across all runzero-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk sql injection and vendor risk path handling, with potential vendor impact file overwrite and vendor impact data exposure across vendor surface software deployment use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-5384 | An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.26021.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.8 | 0.21% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5383 | An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4 Medium). This issue was fixed in version 4.0.260208.0 of the runZero Explorer. | 44488dab-36db-4358-99f9-bc116477f914 | 4.4 | 0.18% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5382 | An issue that could expose records outside of the authorized organization scope through the MCP endpoints has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260206.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 3.0 | 0.17% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5381 | An issue that could expose task information outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N (2.2 Low). This issue was fixed in version 4.0.260205.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 2.2 | 0.17% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5380 | An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3 Medium). This issue was fixed in version 4.0.260204.2 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.3 | 0.20% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5379 | An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N (3.0 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 3.0 | 0.12% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5378 | An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N (5.8 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.8 | 0.19% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5376 | An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (5.9 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.9 | 0.21% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5375 | An issue that could allow a user with access to a credential to view sensitive fields through an API response has been resolved. This is an instance of CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N (2.7 Low). This issue was fixed in version 4.0.260203.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 2.7 | 0.20% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5374 | An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N (5.8 Medium). This issue was fixed in version 4.0.260202.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 5.8 | 0.21% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5373 | An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (8.1 High). This issue was fixed in version 4.0.260202.0 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 8.1 | 0.22% | 2026-04-07 | 2026-04-21 |
| CVE-2026-5372 | An issue that allowed a SQL injection attack vector related to saved queries (introduced in version 4.0.260123.0). This is an instance of CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H (6.4 Medium). This issue was fixed in version 4.0.260123.1 of the runZero Platform. | 44488dab-36db-4358-99f9-bc116477f914 | 6.4 | 0.20% | 2026-04-07 | 2026-04-21 |