12 matches found
CVE-2026-41886
locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, … without...
EUVD-2026-28796
locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, … without...
CVE-2026-32251
Tolgee is an open-source localization platform. Prior to 3.166.3, the XML parsers used for importing Android XML resources .xml and .resx files don't disable external entity processing. An authenticated user who can import translation files into a project can exploit this to read arbitrary files...
CVE-2024-52297
Tolgee (open-source localization platform) vulnerability CVE-2024-52297: in version 3.81.1, all configuration properties were exposed publicly via PublicConfigurationDTO to users. Root cause: Public exposure of configuration data. Impact: high potential disclosure risk stated in sources; fixed in...
CVE-2024-32470
Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4...
CVE-2024-32466 Tolgee's API key scopes not checked when querying translation data
Tolgee is an open-source localization platform. For the /v2/projects/translations and /v2/projects/projectId/translations endpoints, translation data was returned even when API key was missing translation.view scope. However, it was impossible to fetch the data when user was missing this scope. S...
CVE-2024-32466
Tolgee's CVE-2024-32466 affects the Tolgee localization platform. The vulnerability concerns the /v2/projects/translations and /v2/projects/{projectId}/translations endpoints, where translation data could be returned when the API key lacked the translation.view scope, potentially exposing data to...
CVE-2024-32466 Tolgee's API key scopes not checked when querying translation data
Tolgee is an open-source localization platform. For the /v2/projects/translations and /v2/projects/projectId/translations endpoints, translation data was returned even when API key was missing translation.view scope. However, it was impossible to fetch the data when user was missing this scope. S...
CVE-2023-41316 HTML Injection with email in Tolgee
Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users. This unsanitized HTML ends up in invitati...
CVE-2023-38510 Tolgee Lacks Permission Check for API Key for some endpoints
Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's...
CVE-2023-38510
Tolgee CVE-2023-38510 affects Tolgee versions 3.14.0 through 3.23.1. The issue is that API-key requests bypass permission scope checks, effectively bypassing authorization for some endpoints. This vulnerability can enable unauthorized access if API keys are exposed on the internet; cases where ke...
PT-2023-26488 · Tolgee · Tolgee
Name of the Vulnerable Software and Affected Versions: Tolgee versions 3.14.0 through 3.23.1 Description: Tolgee is an open-source localization platform. When a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing...