Lucene search
+L

1237 matches found

RedhatCVE
RedhatCVE
added 2026/03/26 3:8 p.m.6 views

CVE-2026-33428

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions...

7.1CVSS5.8AI score0.00274EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.5 views

CVE-2026-31834

Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient...

7.2CVSS5.7AI score0.00257EPSS
Exploits0References1
NVD
NVD
added 2026/03/26 12:16 a.m.18 views

CVE-2026-33915

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the RestConfig::requestauthorizationcheck call that every other data-modifying route in the standard API uses. This...

5.4CVSS0.00227EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/25 11:23 p.m.2 views

CVE-2026-33915

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the RestConfig::requestauthorizationcheck call that every other data-modifying route in the standard API uses. This...

5.4CVSS5.8AI score0.00227EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/25 9:17 p.m.4 views

GHSA-8CMM-J6C4-RR8V Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Summary When the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will...

6.5CVSS5.9AI score0.0033EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/03/25 9:17 p.m.10 views

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Summary When the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will...

6.5CVSS5.9AI score0.0033EPSS
Exploits1References6Affected Software1
RedHat Linux
RedHat Linux
added 2026/03/25 6:51 p.m.3 views

udisks: Missing Authorization Check Allows Unprivileged Users to Restore LUKS Headers via udisks D-Bus API

A flaw was found in the udisks storage management daemon that exposes a privileged D-Bus API for restoring LUKS encryption headers without proper authorization checks. The issue allows a local unprivileged user to instruct the root-owned udisks daemon to overwrite encryption metadata on block...

7.1CVSS5.7AI score0.00075EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.13 views

PT-2026-28145

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the RestConfig::request authorization check call that every other data-modifying route in the standard API uses. Th...

5.4CVSS5.8AI score0.00227EPSS
Exploits0References4
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/25 12:0 a.m.21 views

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

When the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive...

6.5CVSS5.8AI score0.0033EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 5:27 p.m.13 views

Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

Summary A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. Root-cause analysis: 1...

5.3CVSS5.8AI score0.00215EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2026/03/24 3:35 p.m.11 views

CVE-2026-33676

Summary: Vikunja, an open-source self-hosted task manager, has a cross-project information disclosure in its API. Before 2.2.1, when returning tasks, the API fills the related_tasks field with full task objects for all related tasks without verifying the requester’s read permission on those proje...

6.5CVSS5.8AI score0.0033EPSS
Exploits1References4Affected Software1
CNVD
CNVD
added 2026/03/24 12:0 a.m.7 views

Unspecified vulnerability in Discourse (CNVD-2026-17481)

Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from a security vulnerability due to an overly broad authorization check on the deleted post index endpoint, which can ...

7.1CVSS5.8AI score0.00274EPSS
Exploits0
CNNVD
CNNVD
added 2026/03/21 12:0 a.m.9 views

Discourse 安全漏洞

Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from a security vulnerability due to an overly broad authorization check on the deleted post index endpoint, which can ...

7.1CVSS5.8AI score0.00274EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/21 12:0 a.m.9 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.25 contained security vulnerabilities. These vulnerabilities stemmed from access control issues in signal reaction notification processing, which could allow unauthorized sender...

6.3CVSS5.8AI score0.0021EPSS
Exploits0References3
EUVD
EUVD
added 2026/03/20 11:21 p.m.5 views

EUVD-2026-13912

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a non-staff user with elevated group membership could access deleted posts belonging to any user due to an overly broad authorization check on the deleted posts index endpoint. Versions...

7.1CVSS5.8AI score0.00274EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/19 8:39 p.m.4 views

CVE-2026-27454 Discourse has check revision visibility on posts endpoint

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, requesting /posts/:id.json?version=X bypassed authorization checks on post revisions. The displaypost method called post.revertto directly without verifying whether the revision was hidde...

5.3CVSS5.8AI score0.00388EPSS
Exploits0References4
CVE
CVE
added 2026/03/19 8:39 p.m.9 views

CVE-2026-27454

Discourse before versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allowed unauthorized access to hidden post revisions via GET /posts/:id.json?version=X because display_post called post.revert_to without verifying revision visibility or editor permissions. The root cause was missing authorizati...

5.3CVSS5.8AI score0.00388EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 12:58 p.m.8 views

Langflow is Missing Ownership Verification in API Key Deletion (IDOR)

Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | src/backend/base/langflow/api/v1/apikey.py:44-53 | | Practical Exploitability | High | | Developer Approver | [email protected] | Description The deleteapikeyroute endpoint accepts an apikeyid path parameter a...

8.8CVSS5.9AI score0.0039EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:18 p.m.12 views

Admidio is Missing Authorization on Forum Topic and Post Deletion

Summary The forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topicdelete and postdelete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete. Any authenticated user with...

6.5CVSS5.9AI score0.00226EPSS
Exploits1References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/16 11:16 a.m.1 views

CVE-2026-2461 Missing authorization check allows unauthorized modification of other users' comments on a board

Mattermost Plugins versions =11.3 11.0.3 11.2.2 10.10.11.0 fail to implement authorisation checks on comment block modifications, which allows an authorised attacker with editor permission to modify comments created by other board members. Mattermost Advisory ID: MMSA-2025-00559...

4.3CVSS5.8AI score0.00162EPSS
Exploits1References1
Rows per page
Query Builder