Lucene search
K

42 matches found

Cvelist
Cvelist
added 2026/06/24 8:27 p.m.22 views

CVE-2026-52808 Gogs: Write-level collaborators can mutate admin-only repository settings via API

Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent...

7.1CVSS0.00478EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 8:27 p.m.9 views

CVE-2026-52808

Summary : Gogs exposes an authorization flaw where three admin-equivalent API endpoints (PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, POST /api/v1/repos/:owner/:repo/mirror-sync) are protected by write-level middleware (reqRepoWriter) instead of admin-lev...

7.1CVSS5.9AI score0.00478EPSS
Exploits0References4
OSV
OSV
added 2026/06/23 5:3 p.m.2 views

GHSA-268J-37XF-PP52 Gogs's write-level collaborators can mutate admin-only repository settings via API

Summary Three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent operations in the web UI sit behind reqRepoAdmin, which requir...

7.1CVSS6AI score0.00478EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/23 5:3 p.m.8 views

Gogs's write-level collaborators can mutate admin-only repository settings via API

Summary Three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent operations in the web UI sit behind reqRepoAdmin, which requir...

7.1CVSS6AI score0.00478EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.16 views

PT-2026-51626

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description An authorization bypass exists where three API endpoints are protected by write-level middleware instead of administrator-level middleware. This allows a collaborator with write access to perfor...

7.1CVSS5.9AI score0.00478EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/05/15 6:23 p.m.9 views

CVE-2026-44718 Mathesar: Missing collaborator checks allowed access to saved explorations in other databases

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an explorationid without verifying that the requesting user was a collaborator on the...

5.3CVSS5.8AI score0.00278EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.18 views

PT-2026-41351

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration id without verifying that the requesting user was a collaborator on the...

5.3CVSS5.8AI score0.00278EPSS
Exploits0References2
OSV
OSV
added 2026/03/26 8:33 p.m.3 views

GO-2026-4846 Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...

6.5CVSS5.9AI score0.00297EPSS
Exploits1References3
OSV
OSV
added 2026/03/25 9:17 p.m.6 views

GHSA-7C2G-P23P-4JG3 Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Summary The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later...

6.5CVSS5.9AI score0.00297EPSS
Exploits1References4
GitLab Advisory Database
GitLab Advisory Database
added 2026/03/25 12:0 a.m.11 views

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration we...

6.5CVSS5.9AI score0.00297EPSS
Exploits1References5Affected Software1
Cvelist
Cvelist
added 2026/03/24 3:36 p.m.17 views

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

6.5CVSS0.00297EPSS
Exploits1References2
CVE
CVE
added 2026/03/24 3:36 p.m.12 views

CVE-2026-33677

Vikunja (self-hosted task management) prior to version 2.2.1 exposes webhook BasicAuth credentials (basic_auth_user, basic_auth_password) via GET /api/v1/projects/:project/webhooks to any user with read access. The code already masks the HMAC secret, but the BasicAuth fields were not masked after...

6.5CVSS5.9AI score0.00297EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/03/24 3:36 p.m.7 views

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

6.5CVSS6.5AI score0.00297EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2021-0961

Malware in sbrugna...

9.8CVSS9.3AI score0.01528EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-12377

Malicious code in bioql PyPI...

5.5CVSS6.6AI score0.0024EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/22 8:9 a.m.10 views

CVE-2019-14544

routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks...

9.8CVSS6.8AI score0.01528EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/04/25 9:15 p.m.8 views

CVE-2024-12862

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4...

5.5CVSS6.9AI score0.0024EPSS
Exploits0References1
NVD
NVD
added 2025/04/21 3:15 p.m.13 views

CVE-2024-12862

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4...

5.5CVSS0.0024EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/04/21 2:22 p.m.21 views

CVE-2024-12862 REST API allows users without permissions to remove external collaborators

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4...

5.5CVSS0.0024EPSS
Exploits0References1
CVE
CVE
added 2025/04/21 2:22 p.m.1280 views

CVE-2024-12862

CVE-2024-12862 describes an Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows and Linux, allowing users without proper permissions to remove external collaborators. Affected versions: Content Server 20.2–24.4. CVSS v4.0 base score 5.5 (Medium). No public exp...

5.5CVSS6.5AI score0.0024EPSS
Exploits0References1
Rows per page
Query Builder