Appwrite <=1.2.1 - Server-Side Request Forgery

Appwrite through 1.2.1 is susceptible to server-side request forgery via the component /v1/avatars/favicon. An attacker can potentially access network resources and sensitive information via a crafted GET request, thereby also making it possible to modify data and/or execute unauthorized...

CVE-2026-27579

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue...

Exploit for CVE-2026-27579

Appwrite CORS Misconfiguration Exploit PoC CVE-2026-27579...

PT-2026-21376

Name of the Vulnerable Software and Affected Versions CollabPlatform affected versions not specified Description The application’s Appwrite project is misconfigured, allowing arbitrary origins in Cross-Origin Resource Sharing CORS responses while also permitting credentialed requests. This allows...

CollabPlatform 安全漏洞

CollabPlatform is a real-time collaboration platform developed by Manav Mahesh Sanger as an individual developer. CollabPlatform has a security vulnerability, which stems from improper CORS configuration in the Appwrite project. This allows credentials from any source to be requested, potentially...

Malicious Package

Overview ansi-universal-ui is a malicious package. This package contains malicious code, and it has been removed from the official package manager. The package sets up a standalone Python runtime and downloads an obfuscated payload from an Appwrite storage bucket that, upon execution, performs an...

EUVD-2022-1199

Malicious code in bioql PyPI...

EUVD-2022-6708

Malicious code in bioql PyPI...

EUVD-2024-16838

Malicious code in bioql PyPI...

CVE-2024-1063

Appwrite = v1.4.13 is affected by a Server-Side Request Forgery SSRF via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159...

CVE-2023-50974

In Appwrite CLI before 3.0.0, when using the login command, the credentials of the Appwrite user are stored in a /.appwrite/prefs.json file with 0644 as UNIX permissions. Any user of the local system can access those credentials...

CVE-2023-27159

Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery SSRF via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request...

CVE-2022-25377

The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APPSTORAGECERTIFICATES/.well-known/acme-challenge must exist on disk. This pathname is automatically created if...

CVE-2022-2925

Cross-site Scripting XSS - Stored in GitHub repository appwrite/appwrite prior to 1.0.0-RC1...

Arbitrary File Read

Appwrite is vulnerable to Directory Traversal. The vulnerability is due to insufficient validation of user-supplied input when creating an ACME challenge file, allowing an attacker to manipulate the request URI to access arbitrary files. The vulnerability is only exploitable if the...

Appwrite Directory Traversal vulnerability

The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APPSTORAGECERTIFICATES/.well-known/acme-challenge must exist on disk. This pathname is automatically created if...

GHSA-WFM3-GQ9H-MRJM Appwrite Directory Traversal vulnerability

The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APPSTORAGECERTIFICATES/.well-known/acme-challenge must exist on disk. This pathname is automatically created if...

CVE-2022-25377

The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APPSTORAGECERTIFICATES/.well-known/acme-challenge must exist on disk. This pathname is automatically created if...

CVE-2022-25377

The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APPSTORAGECERTIFICATES/.well-known/acme-challenge must exist on disk. This pathname is automatically created if...

CVE-2022-25377

The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, APPSTORAGECERTIFICATES/.well-known/acme-challenge must exist on disk. This pathname is automatically created if...