CVE-2026-45281

A flaw was found in Nextcloud Server. An authenticated user, with knowledge of another user's principal URL, could exploit improper authorization controls to gain full access to that user's calendar. This allows the attacker to view and modify the victim's calendar, leading to unauthorized...

CVE-2026-45281

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the...

CVE-2026-45281

CVE-2026-45281 affects Nextcloud Server versions 32.0.0–32.0.8 and 33.0.0–33.0.2. The issue stems from improper authorization in the calendar backend, requiring an authenticated attacker who knows another user’s principal URL. An authenticated user could potentially send a request to gain full ac...

CVE-2026-45281

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the...

PT-2026-45525

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the...

EUVD-2026-31348

Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a...

CVE-2026-35598 Vikunja has Missing Authorization on CalDAV Task Read

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

GO-2026-4849 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

EUVD-2026-14913

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect...

CVE-2026-33668

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...

Vikunja has a 2FA Bypass via Caldav Basic Auth

Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...

PT-2026-3764

GitHub - canyie/CVE-2024-23700: PoC for CVE-2024-23700, privilege escalation allows silently obtain permissions to read/write contacts, SMS, calendar, call log and voicemail, make outgoing calls or answer incoming calls, manipulate call settings, access https://t.co/CCm7jUKWw6...

CVE-2025-71063

Errands before 46.2.10 does not verify TLS certificates for CalDAV servers...

EUVD-2026-1930

Errands before 46.2.10 does not verify TLS certificates for CalDAV servers...

CVE-2025-64490 SuiteCRM's Inconsistent RBAC Enforcement Enables Access Control Bypass

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Versions 7.14.7 and prior, 8.0.0-beta.1 through 8.9.0 allow a low-privileged user with a restrictive role to view and create work items through the Resource Calendar and project screens, even...

EUVD-2017-1247

Malware in sbrugna...

EUVD-2013-0324

Malware in sbrugna...

EUVD-2013-2025

Malware in sbrugna...

EUVD-2021-22723

Malware in sbrugna...

EUVD-2015-6608

Malware in sbrugna...