ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check

Summary GET /api/namespaces/:tenant returns the full namespace object — including the members list user IDs, e-mails, roles, settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope. The handler conditionally skips the...

PT-2026-38314

Name of the Vulnerable Software and Affected Versions ShellHub versions prior to 0.24.2 Description An issue exists where the endpoint "/api/devices/:uid" returns the full device object to any authenticated user without verifying if the device belongs to the caller's namespace tenant. An...

CVE-2025-11945

AFFiNE (toeverything) up to version 0.24.1 contains a cross-site scripting flaw in the Avatar Upload Image Endpoint due to manipulation of unknown code paths. The issue can be exploited remotely and a public exploit exists; vendor did not respond to disclosure. No remediation details are provided...

WordPress plugin Relocate Upload 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. A cross-site request forge...

PyO3 Risk of buffer overflow in `PyString::from_object`

PyString::fromobject took &str arguments and forwarded them directly to the Python C API without checking for terminating nul bytes. This could lead the Python interpreter to read beyond the end of the &str data and potentially leak contents of the out-of-bounds read by raising a Python exception...

XML External Entity Injection in PyWPS

An XML external entity XXE injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected...

GHSA-P9WF-3XPG-C9G5 XML External Entity Injection in PyWPS

An XML external entity XXE injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected...

Xxe

An XML external entity XXE injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected...

PYSEC-2021-121

An XML external entity XXE injection in PyWPS before 4.5.0 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected...

CVE-2021-29511

evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use evmcore::Memory::copylarge, the evm crate can over-allocate memory when it is not needed, making it possible for an attacker to perform...

PT-2021-18262 · Evm · Evm

Name of the Vulnerable Software and Affected Versions: evm versions prior to 0.21.1 evm versions prior to 0.23.1 evm versions prior to 0.24.1 evm versions prior to 0.25.1 evm versions prior to 0.26.1 Description: The issue is related to the execution of specific EVM opcodes that use evm...