CVE-2026-44352

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixed in 1.2.3...

CVE-2026-47202 Kavita: Pre-Auth Account Takeover

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

EUVD-2026-31938

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

PT-2026-43353

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2...

CVE-2026-44352

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixed in 1.2.3...

CVE-2026-42158 Flowsint: Broken Access Control allows modification of investigation metadata from any user

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investigation of another user. This vulnerability is fixed in 1.2.3...

CVE-2026-44352 Flowsint: Broken Access Control allows reading of sketch logs from any user

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixed in 1.2.3...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the GetSession function. An attacker can access sensitive SSH session data belonging to other tenants by providing a valid session UID and authenticating with any user account...

CVE-2026-35063

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

EUVD-2026-21035

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-22734 - UAA SAML 2.0 Signature Bypass | Cloud Foundry

Severity 8.8 / High CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N 8.6 / HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N Vendor CloudFoundry Foundation Description Cloud Foundry UAA versions v77.21.0 through v78.8.0 are vulnerable to a bypass that allows an attacker to obtain a...

PT-2026-26493

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.52 Parse Server versions prior to 9.6.0-alpha.41 Description A flaw exists in Parse Server that allows an attacker to bypass authentication and log in as any user who has linked a third-party authentication...

CVE-2026-32126

OpenEMR prior to version 8.0.0.1 contains an inverted boolean condition in ControllerRouter::route() that enforces the admin/super ACL check only for controllers with their own internal authorization (e.g., review, log). As a result, all other CDR controllers (alerts, ajax, edit, add, detail, bro...

CVE-2026-28800

Natro Macro (AutoHotkey) prior to 1.1.0 is affected: if Discord Remote Control is set up in a non-private channel, any user with permission to send messages can execute arbitrary actions on the victim’s machine, including keyboard and mouse inputs and full file access. The issue has been patched ...

WordPress plugin Login with Salesforce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Authorization Bypass Through User-Controlled Key

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the actionSendActivationEmail function. An attacker can gain unauthorized access to user accounts or enumerate user states by submitting...

PT-2026-23107

Name of the Vulnerable Software and Affected Versions Netmaker versions prior to 1.2.0 Description The /api/server/shutdown endpoint allows any user to terminate the Netmaker server process via syscall.SIGINT. This can lead to a cyclic denial of service, with the server restarting approximately...

CVE-2025-30035 Lack of API authentication allowing session generation for any user

The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials. Obtaining a session ID is sufficient for session takeover and grants access to the...

CVE-2026-0997 Mattermost Zoom Plugin channel preference API lacks authorization checks

Mattermost versions 11.1.x = 11.1.2, 10.11.x = 10.11.9, 11.2.x = 11.2.1 and Mattermost Plugin Zoom versions =1.11.0 fail to validate the authenticated user when processing /plugins/zoom/api/v1/channel-preference, which allows any logged-in user to change Zoom meeting restrictions for arbitrary...

CVE-2026-26005

ClipBucket v5 is an open source video sharing platform. Prior to 5.5.3 - 45, in Clip Bucket V5, The Remote Play allows creating video entries that reference external video URLs without uploading the video files to the server. However, by specifying an internal network host in the video URL, an SS...