258 matches found
EUVD-2026-41988
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/uuid endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit...
CVE-2026-34171 Coolify: Account takeover via CSRF-able GET endpoint that resets password to attacker-known value
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the GET /invitations/uuid endpoint can perform a state-changing password reset using an attacker-known invitation UUID, allowing an attacker who can cause a victim to visit...
CVE-2026-34171
CVE-2026-34171 affects Coolify prior to 4.0.0-beta.471. The issue is a CSRF-like, state-changing vulnerability on a GET endpoint: GET /invitations/{uuid} can reset the user password to an attacker-known value if a victim visits a crafted invitation URL. This is due to a password-reset being trigg...
CVE-2026-54320
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted and declined by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and...
EUVD-2026-38566
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted and declined by a user whose email matched the invitation but had not been verified. Daytona authenticates users via OIDC and...
PT-2026-51579
🚨 CVE-2026-54320 Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.184.0, organization invitations could be accepted and declined by a user whose email matched the invitation but had not been verified. Daytona authenticates user...
EUVD-2026-38169
Capgo before 12.128.2 contains an improper access control vulnerability in the public.getorgmembers RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sbpublishable key and an organization UUID to retrieve...
CVE-2026-56253
Capgo before 12.128.2 contains an improper access control vulnerability in the public.getorgmembers RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sbpublishable key and an organization UUID to retrieve...
PT-2026-51223
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Improper access control in the public.get org members RPC function allows unauthenticated attackers to enumerate organization members. By using a public sb publishable key and an organization UUID,...
CVE-2026-46699
CVE-2026-46699 affects the conda-smithy tool. Prior to version 3.61.0, a vulnerability in the conda-forge automated webservices allowed unintended write access to feedstock repositories due to using mutable GitHub usernames as identifiers for repository invitation routing, instead of stable GitHu...
CVE-2026-47236
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...
CVE-2026-47236 Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...
EUVD-2026-36530
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...
CVE-2026-47236
CVE-2026-47236 affects the Solidtime open‑source time-tracking app prior to version 0.12.2. The root cause is insufficient access control in the Jetstream-backed team page: invitations:view and members:view permissions gate the official APIs, but the Jetstream page authorizes access with only bel...
CVE-2026-47236 Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...
PT-2026-48954
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...
Mattermost 安全漏洞
Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost such as 11.5.1 and earlier 11.5.x series as well as 10.11.13 and earlier 10.11.x series have security vulnerabilities. These vulnerabilities stem from the lack of verification...
CVE-2026-8496
A cross-site scripting XSS vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS...
UBUNTU-CVE-2026-8496
A cross-site scripting XSS vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS...
CVE-2026-8496
A cross-site scripting XSS vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated SOGo webmail session. The issue occurs because SVG content embedded in the description field of an ICS...