216 matches found
Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001
This module enables allows group managers to invite people into their group. The module doesn't sufficiently check access under certain circumstances, allowing unauthorized users to access the group's content. This vulnerability is mitigated by the fact that it only occurs when certain uncommon...
CVE-2022-37458
Discourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate...
CVE-2024-39777
Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5 and 9.8.x = 9.8.1 fail to disallow unsolicited invites to expose access to local channels, when shared channels are enabled, which allows a malicious remote to send an invite with the ID of an existing local channel, and that local...
CVE-2024-2232
The lacks CSRF checks allowing a user to invite any user to any group including private groups...
PT-2025-53391
Name of the Vulnerable Software and Affected Versions Pexip Infinity versions 32.0 through 37.1 Description Pexip Infinity, in specific configurations of OTJ One Touch Join for Teams SIP Guest Join, exhibits improper input validation within the OTJ service. This flaw allows a remote attacker to...
CVE-2025-66622
Affected software: matrix-sdk-base (base component for Matrix Rust SDK). Vulnerability: Versions 0.14.1 and earlier cannot handle responses with custom m.room.join_rules values due to a serialization bug, which can cause a denial-of-service by stalling the crate’s sync process when invited to a r...
CVE-2025-66622 matrix-sdk-base is vulnerable to DoS via custom m.room.join_rules event values
matrix-sdk-base is the base component to build a Matrix client library. Versions 0.14.1 and prior are unable to handle responses that include custom m.room.joinrules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room wit...
matrix-sdk-base: Denial of service due to custom `m.room.join_rules` events
The matrix-sdk-base crate is unable to handle responses that include custom m.room.joinrules values due to a serialization bug. This can be exploited to cause a denial-of-service condition, if a user is invited to a room with non-standard join rules, the crate's sync process will stall, preventin...
CVE-2025-66223
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...
EUVD-2025-199890
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...
CVE-2025-66223 OpenObserve's Invite Token Lifecycle Misconfiguration
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issue...
A week in security (November 17 – November 23)
Last week on Malwarebytes Labs: AI teddy bear for kids responds with sexual content and advice about weapons Fake calendar invites are spreading. Here’s how to remove them and prevent more Budget Samsung phones shipped with unremovable spyware, say researchers What the Flock is happening with...
Fake calendar invites are spreading. Here’s how to remove them and prevent more
We’re seeing a surge in phishing calendar invites that users can’t delete, or that keep coming back because they sync across devices. The good news is you can remove them and block future spam by changing a few settings. Most of these unwanted calendar entries are there for phishing purposes. Mos...
@facebookmail.com Invites Exploited to Phish Facebook Business Users
If you manage Facebook advertising for a small or medium-sized business, open your inbox with suspicion, because attackers…...
CVE-2025-64326
Weblate (web-based localization tool) versions 5.14 and earlier leak the inviting user’s IP address in the audit log, which can be viewed by invited project members. The root cause is exposure of IPs in admin-triggered actions within the audit log. The issue is fixed in Weblate 5.14.1. Affected p...
PT-2025-45379
Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.14.1 Description Weblate versions 5.14 and below disclose the IP address of a project member when inviting a user to a project. The audit log, which includes IP addresses from administrative actions, is accessible t...
UBUNTU-CVE-2025-9158
The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying th...
EUVD-2025-35802
The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying th...
EUVD-2021-0123
Malware in sbrugna...
EUVD-2022-28175
Malicious code in bioql PyPI...