Information Disclosure

Directus is vulnerable to information disclosure. The vulnerability is due to different error messages returned by the /items/collection API when accessing unauthorized existing collections versus non-existent collections, which allows an attacker to enumerate and discover the existence of...

Exploit for Deserialization of Untrusted Data in Nextgen Mirth_Connect

CVE-2023-43208 — Mirth Connect RCE !Pythonhttps://img.shie...

Immutable collections for JavaScript 安全漏洞

Immutable Collections for JavaScript is an open-source immutable data collection library developed by Immutable.js. There were security vulnerabilities in versions prior to 3.8.3, 4.3.7, and 5.1.5 of Immutable Collections for JavaScript. These vulnerabilities stemmed from prototype pollution issu...

CVE-2026-27802

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4...

CVE-2026-27802 Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4...

CVE-2026-27802 Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4...

CVE-2026-27802

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4...

CVE-2026-27802

CVE-2026-27802 concerns Vaultwarden (unofficial Bitwarden-compatible server in Rust). A Privilege Escalation flaw allows a Manager (authorized user with access_all=false) to perform a bulk permission update that grants themselves access to collections they should not control. Multiple sources des...

CVE-2026-27802 Vaultwarden: Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

Vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Prior to version 1.35.4, there is a privilege escalation vulnerability via bulk permission update to unauthorized collections by Manager. This issue has been patched in version 1.35.4...

EUVD-2026-9502

Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager...

GHSA-R32R-J5JQ-3W4M Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

Summary A Manager account accessall=false was able to escalate privileges by directly invoking the bulk-access API against collections that were not originally assigned to them. The API allowed changing assigned=false to assigned=true, resulting in unauthorized access. Additionally, prior to the...

Vaultwarden has Privilege Escalation via Bulk Permission Update to Unauthorized Collections by Manager

Summary A Manager account accessall=false was able to escalate privileges by directly invoking the bulk-access API against collections that were not originally assigned to them. The API allowed changing assigned=false to assigned=true, resulting in unauthorized access. Additionally, prior to the...

Vaultwarden 安全漏洞

Vaultwarden is an alternative implementation of the Bitwarden server API, developed by Daniel García. Versions of Vaultwarden prior to 1.35.4 contained a security vulnerability. This vulnerability stemmed from the ability of the Manager to access unauthorized collections through batch permission...

PT-2026-23071

Name of the Vulnerable Software and Affected Versions Vaultwarden versions prior to 1.35.4 Description A Manager account with limited permissions was able to gain elevated privileges by using the bulk-access API to modify permissions on collections they were not originally authorized to access. T...

CVE-2026-28354 ClipBucket v5 has IDOR in Collection Item Management

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item /actions/addtocollection.php due to missi...

CVE-2026-28354 ClipBucket v5 has IDOR in Collection Item Management

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item /actions/addtocollection.php due to missi...

EUVD-2026-9062

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 59, collection item operations are vulnerable to authorization flaws, allowing a normal authenticated user to modify another user’s collection items. This affects both add item /actions/addtocollection.php due to missi...

CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

CVE-2026-28217 IDOR in GraphQL userCollection Query Exposes Other Users' Private Collections

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...