PT-2026-25975

Name of the Vulnerable Software and Affected Versions Cockpit versions 2.13.4 and earlier Description Cockpit is a headless content management system. Instances running version 2.13.4 or earlier with API access enabled are susceptible to a SQL Injection issue in the MongoLite Aggregation Optimize...

CVE-2026-32715

CVE-2026-32715 | AnythingLLM in versions up to 1.11.1 has a privilege bypass where two generic system-preferences endpoints expose manager-level access, bypassing admin-only restrictions. This allows a manager to read plaintext SQL database credentials and overwrite admin-only global settings (e....

CVE-2026-32715 AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...

GO-2026-4626 Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion in github.com/forceu/gokapi

Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

curl: CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap

Summary: CURLOPTUNRESTRICTEDAUTH=1 instructs libcurl to send credentials to ALL hosts during redirect chains, 'possibly again and again as the following hosts can keep redirecting to new hosts.' The documentation explicitly warns this is dangerous, but the default behavior is also risky: curl onl...

PT-2026-27245

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.7 Description OpenClaw’s fetchWithSsrFGuard... function improperly validates headers during cross-origin redirects, allowing custom authorization headers like X-Api-Key and Private-Token to be forwarded to a...

CVE-2026-1087

The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings,...

EUVD-2026-10128

The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings,...

CVE-2026-29060

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token...

CVE-2026-29061

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permission...

CVE-2026-29061

Gokapi CVE-2026-29061 summary (based on connected docs): Gokapi is a self-hosted file sharing server. Before version 2.2.3, a privilege-escalation flaw in the user rank demotion logic allows a demoted user’s existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, ...

CVE-2026-29060 Gokapi: Privilege escalation with auth token

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...

CVE-2026-29060 Gokapi: Privilege escalation with auth token

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with...

CVE-2026-21621

CVE-2026-21621 affects the Hex.pm application (hexpm/hexpm). The vulnerability arises from the OAuth client_credentials flow in Elixir.HexpmWeb.API.OAuthController (validate_scopes_against_key/2), where a read-only API key (domain: api, resource: read) loses its scope and is issued a broad api sc...

GHSA-M2HX-WJXC-9FP4 Gokapi has privilege escalation with auth token

Impact A registered user without privileges to create or modify file requests is able to create a short-lived API key that has the permission to do so. The user must be registered with Gokapi. If you do not have any other users with access to the admin/upload menu, you are not impacted. Patches...

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token...

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token...

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token...

PT-2026-23497

Incorrect Authorization vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.API.OAuthController' module allows Privilege Escalation. An API key created with read-only permissions domain: "api", resource: "read" can be escalated to full write access under specific conditions. When exchanging a...