CVE-2026-10622

Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/ endpoints...

CVE-2026-8878

Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover...

CVE-2026-10622

Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/ endpoints...

PT-2026-45746

Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed '/rest/ endpoints...

EUVD-2026-31156

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop v0.101.3 allows full authentication bypass when running in an Electron environment. When Trilium detects an...

CVE-2026-40976

A flaw was found in Spring Boot. Under specific conditions, including being a servlet-based web application without custom Spring Security configuration and relying on the default web security filter chain, a remote attacker could bypass security. This allows unauthorized access to all applicatio...

Scramble 代码注入漏洞

Scramble is a tool developed by de:doc for automatically generating API documentation for Laravel projects. Versions of Scramble from 0.13.2 to 0.13.22 contained a code injection vulnerability. This vulnerability stemmed from the exposed documentation endpoints and the use of validation rules tha...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the nnef-oam route group due to missing inbound authentication and authorization checks. An attacker can gain unauthorized access to administrative operations by sending unauthenticated requests to the exposed...

PraisonAI 访问控制错误漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI from 2.5.6 to 4.6.34 contained an access control vulnerability. This vulnerability stemmed from the Flask API server, which disabled authentication by default, allowing callers without a...

Nutanix Prism Central 访问控制错误漏洞

Nutanix Prism Central is a centralized management console provided by the American company Nutanix. Nutanix Prism Central has an access control vulnerability, which stems from improper access controls. This vulnerability allows unauthenticated attackers to access the system via the network, send...

EUVD-2026-24084

This vulnerability exists in Quantum Networks router due to improper access control and insecure default configuration in the web-based management interface. An unauthenticated attacker could exploit this vulnerability by accessing exposed API endpoints on the targeted device. Successful...

CVE-2026-41039

CVE-2026-41039 affects the Quantum Networks router (e.g., QN-I-470). The root cause is improper access control and insecure default configuration in the web-based management interface, enabling an unauthenticated attacker to access exposed API endpoints. This could allow retrieval of sensitive in...

CVE-2026-41039

This vulnerability exists in Quantum Networks router due to improper access control and insecure default configuration in the web-based management interface. An unauthenticated attacker could exploit this vulnerability by accessing exposed API endpoints on the targeted device. Successful...

CVE-2025-13480

Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been...

Directory Traversal

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Directory Traversal via the translation memory API when unintended endpoints are exposed without proper access control. An attacker can acce...

CVE-2026-27449

Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the...

CVE-2026-28408

WeGIA is a web manager for charitable institutions. Prior to version 3.6.5, the script in adicionartipodocsatendido.php does not go through the project's central controller and does not have its own authentication and permission checks. A malicious user could make a request through tools like...

Improper Following of a Certificate's Chain of Trust

Overview Affected versions of this package are vulnerable to Improper Following of a Certificate's Chain of Trust in the exposed API endpoints that do not enforce authentication or authorization checks. An attacker can access and retrieve sensitive data associated with arbitrary records by direct...

GHSA-QW99-GRCX-4PVM OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback

Summary The Chrome extension relay ensureChromeExtensionRelayServer previously treated wildcard hosts 0.0.0.0 / :: as loopback, which could make it bind the relay HTTP/WS server to all interfaces when a wildcard cdpUrl was passed. Impact If configured with a wildcard cdpUrl, relay HTTP endpoints...

CVE-2026-24321

SAP Commerce Cloud exposes multiple API endpoints to unauthenticated users, allowing them to submit requests to these open endpoints to retrieve sensitive information that is not intended to be publicly accessible via the front-end. This vulnerability has a low impact on confidentiality and does...