1014 matches found
GHSA-87X4-J8VH-P5QF Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure
Executive Summary A security vulnerability exists in the Plane project management platform that allows unauthenticated attackers to enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django RE...
PT-2026-23619
Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.2 Description An issue exists in Plane that allows unauthenticated attackers to enumerate workspace members and extract sensitive information, including email addresses, user roles, and internal identifiers. This is...
CVE-2026-2025
The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog...
CVE-2026-2025 Mail Mint < 1.19.5 - Unauthenticated Emails Disclosure
The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog...
GHSA-W878-F8C6-7R63 Statamic's missing authorization allows access to email addresses
Impact User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission. Patches This has been fixed in 5.73.11 and 6.4.0...
Statamic's missing authorization allows access to email addresses
Impact User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission. Patches This has been fixed in 5.73.11 and 6.4.0...
CVE-2026-28424 Statamic's missing authorization allows access to email addresses
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...
CVE-2026-28424 Statamic's missing authorization allows access to email addresses
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...
CVE-2026-28424 Statamic's missing authorization allows access to email addresses
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...
CVE-2026-28288 Dify has a user enumeration issue
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue...
CVE-2026-28288
Dify (open-source LLM app development platform) has a user enumeration vulnerability in its API prior to version 1.9.0, where responses differ between existing and non-existent accounts, enabling email-address enumeration. The issue is addressed in version 1.9.0. Exploitation is noted as a proof-...
BIT-SUPERSET-2026-23983 Apache Superset: Sensitive Data Exposure via REST API (disabled by default)
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint disabled by default allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the A...
PT-2026-22210
Name of the Vulnerable Software and Affected Versions Hoppscotch versions prior to 2026.2.0 Description Hoppscotch, an API development ecosystem, had a critical security issue where an unauthenticated attacker could overwrite the entire infrastructure configuration of a self-hosted instance. This...
Apache Superset allows authenticated users to view sensitive data without explicit permissions
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint disabled by default allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the A...
GHSA-H294-8FXM-M2PJ Apache Superset allows authenticated users to view sensitive data without explicit permissions
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint disabled by default allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the A...
CVE-2026-23983 Apache Superset: Sensitive Data Exposure via REST API (disabled by default)
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint disabled by default allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the A...
CVE-2026-23983 Apache Superset: Sensitive Data Exposure via REST API (disabled by default)
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint disabled by default allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the A...
EUVD-2026-8477
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint disabled by default allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the A...
CVE-2026-23983 Apache Superset: Sensitive Data Exposure via REST API (disabled by default)
A Sensitive Data Exposure vulnerability exists in Apache Superset allowing authenticated users to retrieve sensitive user information. The Tag endpoint disabled by default allows users to retrieve a list of objects associated with a specific tag. When these associated objects include Users, the A...
CVE-2026-23983
Apache Superset (CVE-2026-23983) has an information disclosure vulnerability via the Tag endpoint (disabled by default). When the tagged objects include Users, the API may serialize and return sensitive fields such as password hashes (pbkdf2), email addresses, and login statistics to authenticate...