CVE-2026-48592

Missing Authorization vulnerability in oban-bg obanweb 'Elixir.Oban.Web.Jobs.DetailComponent' modules allows unauthorized job worker substitution. The handleevent"save-job", ... handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel,...

EEF-CVE-2026-48592 Missing authorization check on save-job event handler in oban_web

Summary Missing Authorization vulnerability in oban-bg obanweb 'Elixir.Oban.Web.Jobs.DetailComponent' modules allows unauthorized job worker substitution. The handleevent"save-job", ... handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling...

CVE-2026-48592 Missing authorization check on save-job event handler in oban_web

Missing Authorization vulnerability in oban-bg obanweb 'Elixir.Oban.Web.Jobs.DetailComponent' modules allows unauthorized job worker substitution. The handleevent"save-job", ... handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel,...

EUVD-2026-31975

Missing Authorization vulnerability in oban-bg obanweb 'Elixir.Oban.Web.Jobs.DetailComponent' modules allows unauthorized job worker substitution. The handleevent"save-job", ... handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel,...

Oban Web 安全漏洞

Oban Web is an embedded real-time backend task monitoring dashboard developed under the Oban Framework open source project. Versions of Oban Web from 2.12.0 to 2.12.5 contained a security vulnerability. This vulnerability originated from the Elixir.Oban.Web.Jobs.DetailComponent module, where the...

CVE-2026-8469 Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook

Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenixstorybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.toatom/1 without...

CVE-2022-42975

socket/transport.ex in Phoenix before 1.6.14 mishandles checkorigin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token...

EUVD-2022-7143

Malicious code in bioql PyPI...

Phoenix before 1.6.14 mishandles check_origin wildcarding

socket/transport.ex in Phoenix before 1.6.14 mishandles checkorigin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token...

GHSA-P8F7-22GQ-M7J9 Phoenix before 1.6.14 mishandles check_origin wildcarding

socket/transport.ex in Phoenix before 1.6.14 mishandles checkorigin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token...

CVE-2022-42975

socket/transport.ex in Phoenix before 1.6.14 mishandles checkorigin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token...

CVE-2022-42975

socket/transport.ex in Phoenix before 1.6.14 mishandles checkorigin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token...

PT-2022-26688 · Phoenix · Phoenix

Name of the Vulnerable Software and Affected Versions: Phoenix versions prior to 1.6.14 Description: The issue arises from the mishandling of check origin wildcarding in the socket/transport.ex file. This does not affect LiveView applications by default due to the presence of a LiveView CSRF toke...

CVE-2022-42975

socket/transport.ex in Phoenix before 1.6.14 mishandles checkorigin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token...

Shopify: Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation

Summary GraphQL LiveView operation doesn't properly check for permissions before returning data. This allows "No Access" users to access some store settings and data by providing complete Shop schema fields in the request string. Steps to reproduce 1. Log into an attacker account of a test store...