CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

CVE-2026-45716

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

CVE-2026-50205

System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data...

EUVD-2026-34217

System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data...

PT-2026-46156

System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data...

CVE-2026-45716

Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...

Budibase 安全漏洞

Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.38.1 contained security vulnerabilities. These vulnerabilities stemmed from the POST...

Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Summary The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances, this endpoint bypasses the admin-restricted invite flo...

PT-2026-41795

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1 Description An issue exists in the "POST /api/global/users/onboard" endpoint, which is protected by the workspaceBuilderOrAdmin middleware. This allows users with builder permissions to access the endpoint. In...

CVE-2026-41132 CKAN: No certificate validation on STMP connection

CKAN is an open-source DMS data management system for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate e.g. self-signed, leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in...

EUVD-2026-29047

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

CVE-2026-41951

The vulnerability CVE-2026-41951 affects GROWI up to v7.5.0, where a path traversal flaw could let an attacker cause the server to execute arbitrary EJS templates when an email server is running. The issue is documented in multiple sources (NVD/CVE entries) with CVSS v3.0/4.0 base scores of 7.2/8...

CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

CVE-2026-41951

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

PT-2026-39589

Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...

SUSE CVE-2017-18911

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server...

PT-2026-20939

Stalwart is a mail and collaboration server. A denial-of-service vulnerability exists in Stalwart Mail Server versions 0.13.0 through 0.15.4 where accessing a specially crafted email containing malformed nested message/rfc822 MIME parts via IMAP or JMAP causes excessive CPU and memory consumption...

CVE-2017-18911

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. The X.509 certificate validation can be skipped for a TLS-based e-mail server...

CVE-2006-3108

Cross-site scripting XSS vulnerability in EmailArchitect Email Server 6.1 allows remote attackers to inject arbitrary Javascript via an HTML div tag with a carriage return between the onmouseover attribute and its value, which bypasses the mail filter...