175 matches found
CVE-2026-27949
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...
EUVD-2026-20063
Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked fr...
CVE-2026-27949
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...
CVE-2026-27949 Plane Exposes User Email (PII and part of credential) in GET Parameter
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...
PT-2026-31015
Plane is an an open-source project management tool. Prior to 1.3.0, a vulnerability was identified in Plane's authentication flow where a user's email address is included as a query parameter in the URL during error handling e.g., when an invalid magic code is submitted. Transmitting personally...
WordPress Front User Submit plugin <= 4.9.5 - Open Redirect vulnerability
Open Redirect vulnerability discovered by Bob Matyas - Automattic in WordPress Plugin WP Front User Submit / Front Editor versions = 4.9.5...
EUVD-2025-199639
The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...
CVE-2025-64065
The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...
CVE-2025-64065
The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...
CVE-2025-64065
Primakon Pi Portal 1.0.18 exposes /api/V2/pp_udfv_admin to authenticated, low-privilege users via an access control flaw (Broken Function Level Authorization) and insecure design, enabling direct PATCH-based impersonation of arbitrary users, including Administrators, without password or admin tok...
PT-2025-48073
The Primakon Pi Portal 1.0.18 API /api/V2/pp udfv admin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...
CVE-2025-64065
The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...
CVE-2025-64065
The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...
CVE-2025-52669
Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and email address of other users on the system...
EUVD-2025-198350
Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and email address of other users on the system...
CVE-2025-52669
Insecure design policies in the user management system of Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes non-admin users to have access to the contact name and email address of other users on the system...
CVE-2025-52669
CVE-2025-52669 concerns Revive Adserver prior to or at 6.x, where the user management design allows non-admin users to see other users’ contact names and email addresses. The root cause is an insecure design in the User Management / Add user lookup workflow that performs a global account search, ...
CVE-2025-8850 Insecure API Design in danny-avila/librechat
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...
EUVD-2022-43903
Malicious code in bioql PyPI...
EUVD-2022-32832
Malicious code in bioql PyPI...