250 matches found
CVE-2026-40152
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he listfiles tool in FileTools validates the directory parameter against workspace boundaries via validatepath, but passes the pattern parameter directly to Path.glob without any validation. Since Python's Path.glob supports .. path...
CVE-2026-33005
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID metadata only NOT contents. Metadata includes id, type, name and some other field. Full list of fields...
CVE-2026-33005
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID metadata only NOT contents. Metadata includes id, type, name and some other field. Full list of fields...
CVE-2026-33005
Apache OpenMeetings is affected by an Improper Handling of Insufficient Privileges vulnerability. A registered user can query the web service with their credentials and retrieve metadata (e.g., id, type, name, and other FileItemDTO fields) for files and sub-folders of any folder by ID, with no co...
PT-2026-31639
Name of the Vulnerable Software and Affected Versions Apache OpenMeetings versions prior to 9.0.0 Description A registered user can query a web service with their credentials and retrieve metadata id, type, name, and other fields from the FileItemDTO object for files and sub-folders of any folder...
PT-2026-31791
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list files tool in FileTools validates the directory parameter against workspace boundaries via validate path, but passes the pattern parameter directly to Path.glob without any validation. Since Python's Path.glob supports .. pa...
SUSE CVE-2026-4265
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the upload process. An attacker can bypass team-specific file upload restrictions by uploading files in a team where they have permission and reusing the file metadata in a POST request to a different team...
EUVD-2026-12425
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...
CVE-2026-4265
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...
CVE-2026-4265
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...
CVE-2026-4265
Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...
PT-2026-25705
Mattermost fails to validate team-specific upload file permissions in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...
BIT-PARSE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...
GHSA-HWX8-Q9CG-MQMC Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Impact The file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any...
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Impact The file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any...
Missing Authorization
Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authorization in the GET /files/:appId/metadata/:filename endpoint due to the lack of enforcement of beforeFind and...
CVE-2026-30850
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...
CVE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...
CVE-2026-30850 Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as...