GHSA-FRF7-JHP9-JXM6 MantisBT Vulnerable to Privilege Escalation from Manager to Administrator

Insufficient access control checks in ProjectUsersAddCommand used in manageprojuseradd.php and REST API endpoint PUT /project/id/users allows users having manageprojectthreshold access level manager by default to grant project-level administrator access to any user including themselves in any...

CVE-2026-30522

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering...

CVE-2026-30521

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

CVE-2026-30522

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering...

CVE-2026-30522

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering...

EUVD-2026-17583

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

CVE-2026-30521

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

PT-2026-29325

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

CVE-2026-30521

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this...

CVE-2026-32139 Dataease: Unfiltered active SVG content leads to Stored XSS

Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as...

EUVD-2026-11284

Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign...

CVE-2025-56605

A reflected Cross-Site Scripting XSS vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. The mobile POST parameter is improperly validated and echoed back in the HTTP response without sanitization, allowing an attacker to inject and execute...

Keycloak 代码问题漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has code-related vulnerabilities; these vulnerabilities stem from insufficient backend notification endpoint validation by the CIBA function regarding client configurations. This may lead to...

CVE-2026-24772 OpenProject has SSRF and CSWSH in Hocuspocus Synchronization Server

OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a share...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via insufficient backend validation in the Agent service's database query tool. An attacker can access sensitive information from the server and database by using prompt-based bypass techniques to evade query restrictions...

CVE-2025-65900

Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all...

EUVD-2024-27856

Malicious code in bioql PyPI...

EUVD-2024-46384

Malicious code in bioql PyPI...

EUVD-2024-42543

Malicious code in bioql PyPI...

CVE-2024-5127

In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of role...