CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNNVD•added 2026/04/17 12:0 a.m.•7 views

HomeBox 安全漏洞

HomeBox is an open-source system developed by SysAdmins Media for home users. Versions of HomeBox prior to 0.25.0 contained security vulnerabilities. These vulnerabilities stemmed from the defaultGroup ID being assigned permanently after a user is invited to a group. Even if the user’s access...

8.1CVSS5.8AI score0.00038EPSS

OSV•added 2026/04/08 2:45 p.m.•2 views

BIT-DISCOURSE-2026-34947 Discourse: Staged user custom fields are exposed on public invite pages

Discourse is an open-source discussion platform. From versions 2026.1.0 to before 2026.1.3,and 2026.2.0 to before 2026.2.2, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been patched in versions 2026.1.3 and 2026.2.2...

6.9CVSS5.7AI score0.00056EPSS

RedhatCVE•added 2026/04/07 5:6 p.m.•2 views

CVE-2026-32602

Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint /api/trpc/user.register is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operation...

SUSE CVE•added 2026/04/06 11:24 p.m.•2 views

SUSE CVE-2026-34389

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

7.1CVSS5.9AI score0.00042EPSS

Exploits0References3

OSV•added 2026/04/06 5:59 p.m.•0 views

GHSA-X3F4-V83F-7WP2 Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri

Hi, I found that 6 endpoints in Authorizer accept a user-controlled redirecturi and append sensitive tokens to it without validating the URL against AllowedOrigins. The OAuth /app handler validates redirecturi at httphandlers/app.go:46, but the GraphQL mutations and verifyemail handler skip...

8.6CVSS6AI score

Exploits0References5

NVD•added 2026/04/06 3:17 p.m.•3 views

CVE-2026-32602

4.2CVSS0.00034EPSS

Cvelist•added 2026/04/06 2:42 p.m.•22 views

CVE-2026-32602 Homarr has a Race Condition in Invite Token Registration (TOCTOU)

4.2CVSS0.00034EPSS

CVE•added 2026/04/06 2:42 p.m.•2 views

CVE-2026-32602

CVE-2026-32602 affects Homarr prior to 1.57.0. The user registration endpoint /api/trpc/user.register is vulnerable to a TOCTOU race condition: the registration flow performs three non-atomic DB operations (CHECK, CREATE, DELETE). Concurrent requests can pass the CHECK before any deletion, allowi...

Exploits0References1Affected Software1

EUVD•added 2026/04/06 2:42 p.m.•2 views

EUVD-2026-19277

Vulnrichment•added 2026/04/06 2:42 p.m.•3 views

CVE-2026-32602 Homarr has a Race Condition in Invite Token Registration (TOCTOU)

Positive Technologies•added 2026/04/06 12:0 a.m.•1 views

PT-2026-30625

RedhatCVE•added 2026/04/04 10:54 p.m.•1 views

CVE-2026-34947

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...

Vulnrichment•added 2026/04/03 9:27 p.m.•2 views

CVE-2026-34947 Discourse: Staged user custom fields are exposed on public invite pages

EUVD•added 2026/04/03 9:27 p.m.•0 views

EUVD-2026-18882

CVE•added 2026/04/03 9:27 p.m.•7 views

CVE-2026-34947

CVE-2026-34947 affects Discourse. Versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0 expose staged user custom fields and username on public invite pages without email verification. The issue has been patched in 2026.1.3, 2026.2...