CVE-2026-53912 Cerebrate self-registration password hash exposure via inbox and audit log views

Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, a...

CVE-2026-53912

Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored registrant password hashes in the inbox message payload, which were returned unredacted through inbox index/view responses (HTML/JSON/CSV) and could be written unredact...

CVE-2026-34164

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data PII, citizen identifier...

CVE-2026-34164 Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService

Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox messages can contain highly sensitive information including personal data PII, citizen identifier...

CVE-2026-34164

CVE-2026-34164 concerns Valtimo, where the InboxHandlingService logged the full content of incoming inbox messages at INFO level across versions 13.0.0–13.21.0. This exposed sensitive data (PII, BSN, case details) to anyone with log access or admin UI users. The issue was fixed in 13.22.0: the lo...

PT-2026-33366

Name of the Vulnerable Software and Affected Versions Valtimo versions 13.0.0 through 13.21.0 Description The InboxHandlingService function handle in the inbox module logs the full content of every incoming inbox message at the INFO level. These messages may contain sensitive information, such as...

CVE-2025-63645

A stored cross-site scripting XSS vulnerability exists in pH7Software pH7-Social-Dating-CMS 17.9.1 in the application's message system. Unsanitized message content submitted by one user is persisted by the server and later rendered in another user's Inbox view without appropriate context-aware...

CVE-2024-55186

An IDOR Insecure Direct Object Reference vulnerability exists in oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging...

Oqtane Framework Insecure Direct Object Reference vulnerability

An IDOR Insecure Direct Object Reference vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging...

CVE-2024-55186

An IDOR Insecure Direct Object Reference vulnerability exists in oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging...

PT-2024-36490 · Unknown · Oqtane Framework

Name of the Vulnerable Software and Affected Versions: oqtane Framework version 6.0.0 Description: An IDOR Insecure Direct Object Reference issue exists, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the...

SMSEagle 安全漏洞

SMSEagle is a specialized hardware SMS gateway software for sending and receiving SMS messages from SMSEagle, Inc. A security vulnerability exists in SMSEagle version 6.0 that stems from the application not properly cleaning user input from SMS messages in the inbox, leading to a stored cross-sit...

Zivver: one delegate can add another delegate and delete other delegates, exposing all confidential inbox messages

Summary: One Delegate can add another delete and delete other delegates, exposing all inbox messages to other delegates and hence exposing all the confidential info can be seen by newly added delegates Steps To Reproduce: add details for how we can reproduce the issue 1. Login as User1 and add a...

Sun Java System Communication Express CSRF via HPP

Hello, As a continuation of my advisory about "Sun Java System Communications Express Multiple HTML Injection Vulnerabilities" that can be found here: http://www.securityfocus.com/bid/34083/info, I would like to introduce another potential security threat in the same product and based on my...