PT-2026-45065

Summary Type: Insecure Direct Object Reference. Five label endpoints — PATCH /workspaces/workspace id/labels/label id, DELETE .../labels/label id, POST .../issues/issue id/labels/label id, DELETE .../issues/issue id/labels/label id, GET .../issues/issue id/labels — gate access on require workspac...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has a security vulnerability, which stems from the fact that the Account REST API is only partially disabled. Five endpoints remain fully functional, and there is no gatekeeper for...

GHSA-42CR-W2GR-M54Q wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

Summary Five routine detail action endpoints check a cache before calling self.getobject. Cache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership...

wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

Summary Five routine detail action endpoints check a cache before calling self.getobject. Cache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership...