4148 matches found
CVE-2026-39309
Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...
CVE-2026-44201
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections. This...
CVE-2026-45714
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection SSTI vulnerability exists in multiple modules of CubeCart including Email Templates, Invoices, Documents, and Contact Forms. The application unsafely evaluates user-supplied input using the...
CVE-2026-40867
Horilla is a free and open source Human Resource Management System HRMS. In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view attachments from other tickets by changing the attachment ID. This can expose sensitive support files an...
CVE-2026-40865
Horilla is a free and open source Human Resource Management System HRMS. In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other employees’ uploaded documents by changing the document ID in the request. This exposes sensitive HR...
XML Entity Expansion
Overview docling is a SDK and CLI for parsing PDF, DOCX, HTML, and more, to a unified document representation for powering downstream workflows such as gen AI applications. Affected versions of this package are vulnerable to XML Entity Expansion in backend/xml/usptobackend.py's use of parseStrin...
CVE-2026-46722
The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index...
Important: Red Hat Security Advisory: expat security update
An update for expat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...
[SECURITY] Fedora 43 Update: python-wsgidav-4.3.4-1.fc43
A generic and extendable WebDAV server written in Python and based on WSGI. Main features: =E2=80=A2 WsgiDAV is a stand-alone WebDAV server with SSL support, that can be installed and run as Python command line script. =E2=80=A2 The python-pam library is needed as extra requirement if pam-login...
PT-2026-46103
Impact In versions = 2.82.0, 2.91.0, if the HTML backend was explicitly configured for rendering rendering option by default deactivated, then the Playwright-based rendering feature could allow JavaScript execution and unrestricted network access when processing untrusted HTML documents. An...
Ubuntu 25.10 / 26.04 LTS : LibreOffice vulnerability (USN-8352-1)
The remote Ubuntu 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8352-1 advisory. Duc Anh Nguyen discovered that LibreOffice incorrectly handled mismatched encryption salt parameters in crafted OOXML documents. An attacker could use thi...
CVE-2026-10282 Bottelet DaybydayCRM DocumentsController.php view improper authorization
A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to...
CVE-2026-10282 Bottelet DaybydayCRM DocumentsController.php view improper authorization
A security vulnerability has been detected in Bottelet DaybydayCRM up to 2.2.1. This impacts the function view of the file app/Http/Controllers/DocumentsController.php. Such manipulation leads to improper authorization. The attack may be launched remotely. It is best practice to apply a patch to...
CVE-2026-10282
CVE-2026-10282 affects Bottelet DaybydayCRM (up to version 2.2.1). The vulnerability is in the view function of app/Http/Controllers/DocumentsController.php, enabling improper authorization from a remote attacker. The description notes that applying a patch resolves the issue. No exploit details ...
Chromium: CVE-2026-9947 Use after free in XML
This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...
GHSA-Q6W3-HPFV-RG36 Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders
Summary modules/documents-files.php mode filerenamesave shares the same root-cause shape as the cross-folder move bug 05-documents-cross-folder-move-idor.md: the top-level rights check at lines 79-89 validates hasUploadRight on the URL parameter folderuuid, but the rename operation acts on fileuu...
GHSA-QC4C-HRMC-4F78 Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges
Summary An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization check at the top of modules/documents-files.php evaluates upload rights against the attacker-supplied folderuuid URL parameter...
[SECURITY] Fedora 43 Update: podofo-1.0.4-1.fc43
PoDoFo is a library to work with the PDF file format. The name comes from the first letter of PDF Portable Document Format. A few tools to work with PDF files are already included in the PoDoFo package. The PoDoFo library is a free, portable C++ library which includes classes to parse PDF files a...
[SECURITY] Fedora 44 Update: podofo-1.0.4-1.fc44
PoDoFo is a library to work with the PDF file format. The name comes from the first letter of PDF Portable Document Format. A few tools to work with PDF files are already included in the PoDoFo package. The PoDoFo library is a free, portable C++ library which includes classes to parse PDF files a...
USN-8340-1: LibreOffice vulnerability
Duc Anh Nguyen discovered that LibreOffice incorrectly handled mismatched encryption salt parameters in crafted OOXML documents. An attacker could use this issue to cause LibreOffice to crash, resulting in a denial of service, or possibly execute arbitrary code...