CVE-2026-28685

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/id" only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read a...

CVE-2026-28685

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/id" only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read a...

kimai 授权问题漏洞

Kimai is a web-based, multi-user time tracking application developed by Kimai’s individual developers. Versions of Kimai prior to 2.51.0 contained an authorization vulnerability. This vulnerability stemmed from the fact that only role-based viewinvoice permissions were checked, without verifying...

EUVD-2025-16323

Malicious code in bioql PyPI...

CVE-2025-40673

A Missing Authorization vulnerability has been found in DinoRANK. This vulnerability allows an attacker to access invoices of any user via accessing endpoint '/facturas/YYYY-MM/SDRYYMM-XXXXX.pdf' because there is no access control. The pdf filename can be obtained via OSINT, insecure network...

PT-2025-23075 · Dinorank · Dinorank

Name of the Vulnerable Software and Affected Versions: DinoRANK affected versions not specified Description: A Missing Authorization issue has been found, allowing an attacker to access invoices of any user. This is possible by accessing the endpoint "/facturas/YYYY-MM/SDRYYMM-XXXXX.pdf" due to a...

CVE-2024-12329

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

CVE-2025-24606

CVE-2025-24606: Missing Authorization in WordPress plugin Client Invoicing by Sprout Invoices (Sprout Invoices) — Broken Access Control allowing unauthorized access/privilege escalation in Client Invoicing by Sprout Invoices

WordPress plugin Essential Real Estate 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An information...

Red Hat 3scale 安全漏洞

Red Hat 3scale is a suite of API Application Programming Interface lifecycle management software from Red Hat USA. A security vulnerability exists in Red Hat 3scale that stems from the fact that there is no authentication mechanism to view PDF invoices for developer users if the URL is known, and...

Harvest: Unauthorized access to all the actions of invoices by PM (Access control Issues)

Hi Team, Description : Project ManagerFull access Can't access the projects and invoices which are not assigned to him.But this can be bypassed and following action Can be done by Any project manager : 1. Mark as send 2.Mark as draft 3.Mark as closed 4.Mark as open Any manager Can change above...