PYSEC-2026-150

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This...

CVE-2026-44201 Wagtail: Improper restriction handling on Documents and Images API

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This...

CVE-2026-44201 Wagtail: Improper restriction handling on Documents and Images API

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This...

CVE-2026-44201

CVE-2026-44201 (Wagtail) : The Documents and Images API improperly listed items in private collections, allowing a user with API access to see filenames and names of documents/images in private collections. Root cause: insufficient access restrictions in the API prior to versions 7.0.7, 7.3.2, an...

bitwarden 安全漏洞

Bitwarden is an open-source password management backend service developed by Bitwarden. Versions of Bitwarden prior to 2026.4.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization checks, allowing any authenticated user to write passwords to any...

PT-2026-39749

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking whether the requesting user has access to each collection's library. An authenticated user with...

Wagtail has improper restriction handling on Documents and Images API

Impact The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. Patches Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature releas...

GHSA-P5GM-92H4-6PV6 Wagtail has improper restriction handling on Documents and Images API

Impact The Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. Patches Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature releas...

Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection

Global Knowledge Base Enumeration via knowledge-bases Meta-Collection Affected Component Retrieval collection access validation: - backend/openwebui/routers/retrieval.py lines 2330-2355, validatecollectionaccess - backend/openwebui/routers/retrieval.py query endpoints, e.g. POST /query/doc Affect...

CVE-2026-33420

A flaw was found in Vaultwarden. A Manager-role user with limited access permissions can exploit a missing authorization check in the getorgcollectionsdetails endpoint. This vulnerability allows the user to retrieve sensitive information, including names, UUIDs, and user and group mappings for al...

PT-2026-39236

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 7.0.7 Wagtail versions prior to 7.3.2 Description The Documents and Images API incorrectly lists items in private collections, allowing a user with API access to view the filename and name of documents and images stor...

CVE-2026-33420

Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the getorgcollectionsdetails endpoint GET /api/organizations/orgid/collections/details is missing the hasfullaccess authorization check that exists on the sibling getorgcollections endpoint. This allows a...

EUVD-2026-27448

Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the getorgcollectionsdetails endpoint GET /api/organizations/orgid/collections/details is missing the hasfullaccess authorization check that exists on the sibling getorgcollections endpoint. This allows a...

CVE-2026-33420 Vaultwarden missing authorization check allows Manager-role users to enumerate all collections

Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the getorgcollectionsdetails endpoint GET /api/organizations/orgid/collections/details is missing the hasfullaccess authorization check that exists on the sibling getorgcollections endpoint. This allows a...

CVE-2026-33420

Vaultwarden (Rust) versions 1.35.4 and earlier are affected by a missing has_full_access() authorization check on GET /api/organizations/{org_id}/collections/details, allowing any Manager-role user with accessAll=False and no collection assignments to enumerate all collections’ names, UUIDs, user...

PT-2026-37220

Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get org collections details endpoint GET /api/organizations/org id/collections/details is missing the has full access authorization check that exists on the sibling get org collections endpoint. This...

Vaultwarden 安全漏洞

Vaultwarden is an alternative implementation of the Bitwarden server API, developed by Daniel García. Versions of Vaultwarden 1.35.4 and earlier contained a security vulnerability. This vulnerability stemmed from the lack of a hasfullaccess authorization check in the getorgcollectionsdetails...

RHCOS 2 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)

The remote Red Hat Enterprise Linux CoreOS 2 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:1773 advisory. - CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix CVE-2014-3577 - apache-commons-collections: InvokerTransformer...

Astra Linux – Vulnerability in snakeyaml

The package org.yaml:snakeyaml in versions 0 and earlier than 1.31 is vulnerable to Denial of Service DoS attacks due to a missing nested depth limitation in collections...

Directory Traversal

Overview pygeoapi is a pygeoapi provides an API to geospatial data Affected versions of this package are vulnerable to Directory Traversal via the STAC FileSystemProvider process. An attacker can access sensitive directories and files by sending crafted requests containing directory traversal...