sendportal 授权问题漏洞

SendPortal is a self-hosted email marketing management tool developed by Mattel. Versions of SendPortal 3.0.1 and earlier had an authorization vulnerability. This vulnerability stemmed from improper handling of the parameter invitation in the destroy function of the Invitation Handler component...

PT-2026-35500

A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attac...

CVE-2026-40196

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...

Foxit PDF Reader和Foxit PDF Editor 安全漏洞

Foxit PDF Reader and Foxit PDF Editor are products of Foxit Corporation, a Chinese company. Foxit PDF Reader is a PDF reader. Foxit PDF Editor is a PDF editor. Both Foxit PDF Reader and Foxit PDF Editor have security vulnerabilities. These vulnerabilities stem from potentially insecure direct...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the user invitation process. An attacker can gain unauthorized access with elevated privileges by using a valid invite token to create an account under any email address, thereby inheriting the role associated...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the user invitation process. An attacker can gain unauthorized access with elevated privileges by using a valid invite token to create an account under any email address, thereby inheriting the role associated...

SUSE CVE-2017-18917

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens...

GO-2026-4463 Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server

Mattermost Server uses weak hashing for OAuth, email verification tokens and invitations in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the allowopeninvite field. An attacker can gain unauthorized access to restricted team invitation functionality by sending crafted API requests. Remediation Upgrade...

A week in security (February 2 – February 8)

Last week on Malwarebytes Labs: Apple Pay phish uses fake support calls to steal payment details Open the wrong "PDF" and attackers gain remote access to your PC Flock cameras shared license plate data without permission Grok continues producing sexualized images after promised fixes Firefox is...

@ainsleydev/payload-helper (>=0.0.6 <=0.1.2), @davincicoding/payload-plugin-kit (=0.0.4) +9 more potentially affected by CVE-2026-25544 via @payloadcms/db-sqlite (>=3.0.0-beta.116 <=3.72.0)

@payloadcms/db-sqlite NPM version =3.0.0-beta.116, =0.0.6, =1.1.10, =1.2.0 - payload-smart-deletion =1.0.7 - simple-shop =1.0.0 Source cves: CVE-2026-25544 Source advisory: SNYK:JS-PAYLOADCMSDBSQLITE-15240188...

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management RMM software for persistent remote access to compromised hosts. "Instead of deploying custom viruses, attackers are bypassing...

CVE-2017-18917

An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and 3.6.7. Weak hashing was used for e-mail invitations, OAuth, and e-mail verification tokens...

CVE-2024-2233

The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group...

SUSE CVE-2025-64708

authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5...

CVE-2025-64423 Coolify has a Privilege Escalation - low privileged users can see and use admin invitation links

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user member can see and use invitation links sent to an administrator. When they use the link before the legitimate recipie...

CVE-2025-64725 Weblate has improper validation upon invitation acceptance

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended...

Weblate has improper validation upon invitation acceptance

Impact It was possible to accept an invitation opened by a different Weblate user. Patches https://github.com/WeblateOrg/weblate/pull/16913 Workarounds Users should avoid leaving Weblate sessions with an unattended opened invitation. References Thanks to Nahid0x for responsibly disclosing this...

GHSA-M6HQ-F4W9-QRJJ Weblate has improper validation upon invitation acceptance

Impact It was possible to accept an invitation opened by a different Weblate user. Patches https://github.com/WeblateOrg/weblate/pull/16913 Workarounds Users should avoid leaving Weblate sessions with an unattended opened invitation. References Thanks to Nahid0x for responsibly disclosing this...

PT-2025-49576

Name of the Vulnerable Software and Affected Versions matrix-sdk-base versions 0.14.1 and prior Description The software is susceptible to a denial-of-service condition. If a user is invited to a room with non-standard join rules, the sync process will stall, preventing further processing for all...