EUVD-2026-30774

Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...

CVE-2026-43889

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, the shares.create API accepts both collectionId and documentId simultaneously and, when published=false, only verifies read access for each—skipping the "share" permission check. A subsequent shares.update authorize...

CVE-2026-43889

Outline is vulnerable prior to 1.7.0 due to the shares.create API accepting both collectionId and documentId and, when published=false, skipping the share-permission check. A subsequent shares.update permits publication using an OR policy (can share collection OR can share document), allowing an ...

CVE-2026-34381

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, Admidio relies on admmyfiles/.htaccess to deny direct HTTP access to uploaded documents. The Docker image ships with AllowOverride None in the Apache configuration, which causes Apache to silently igno...

CVE-2026-33669

SiYuan is a personal knowledge management system. Prior to version 3.6.2, document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. Version 3.6.2 patches the issue...

CVE-2026-29793 NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type...

CVE-2026-23878

HotCRP vulnerability CVE-2026-23878: Affects HotCRP conference review software where, from commit aa20ef288828b04550950cf67c831af8a525f508 to before commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a site could use the document API to download any submissio...

Unity Linux 20.1070e Security Update: ghostscript (UTSA-2025-993339)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-993339 advisory. gslibctxstashsanitizedarg in base/gslibctx.c in Artifex Ghostscript before 10.05.1 lacks argument sanitization for the case. A created PDF document includes its...

BIT-KIBANA-2025-68386 Kibana Improper Authorization

Improper Authorization CWE-285 in Kibana can lead to privilege escalation CAPEC-233 by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request...

ONLYOFFICE Docs 信任管理问题漏洞

ONLYOFFICE Docs is an online office software from ONLYOFFICE, Inc. A trust management issue vulnerability exists in ONLYOFFICE Docs versions 22.11 through prior to 25.05 and prior to 25.11, which stems from the use of a hard-coded key to protect the file cache, which could lead to accessing known...

Floragunn Search Guard FLX 安全漏洞

Floragunn Search Guard FLX is a security component for protecting Elastic Search from Floragunn, Germany. A security vulnerability exists in Floragunn Search Guard FLX 3.1.2 and earlier versions, which stems from a failure to enforce DLS rules when triggering a search from Signals watch, which...

EUVD-2020-3113

Malware in sbrugna...

EUVD-2015-6208

Malware in sbrugna...

EUVD-2022-45966

Malicious code in bioql PyPI...

EUVD-2022-6745

Malicious code in bioql PyPI...

CVE-2021-37331

Laravel Booking System Booking Core 2.0 is vulnerable to Incorrect Access Control. On the Verifications page, after uploading an ID Card or Trade License and viewing it, ID Cards and Trade Licenses of other vendors/users can be viewed by changing the URL...

CVE-2019-6515

An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user...

XWiki Platform Security Vulnerability

XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the XWiki Foundation in France. A security vulnerability exists in Xwiki versions 6.3-milestone-2 through 14.10.15 and 15.0-rc-1 through 15.5.1, which stems from disclosing the content of all documents to...

PT-2023-8597 · Xwiki · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 6.3-milestone-2 through 14.10.14 XWiki Platform versions 15.5.0 through 15.5.0 XWiki Platform versions 15.6RC0 Description: The Solr-based search suggestion provider in XWiki Platform exposes the content of all documen...

The Secret Vulnerability Finance Execs are Missing

The Other Risk in Finance A few years ago, a Washington-based real estate developer received a document link from First American – a financial services company in the real estate industry – relating to a deal he was working on. Everything about the document was perfectly fine and normal. The odd...