CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/03/06 4:45 a.m.•7 views

CVE-2026-29061

Gokapi CVE-2026-29061 summary (based on connected docs): Gokapi is a self-hosted file sharing server. Before version 2.2.3, a privilege-escalation flaw in the user rank demotion logic allows a demoted user’s existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, ...

Exploits0References2Affected Software1

Cvelist•added 2026/03/06 4:45 a.m.•29 views

CVE-2026-29061 Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, a privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permission...

5.4CVSS0.00008EPSS

Snyk•added 2026/03/05 8:42 p.m.•1 views

Improper Handling of Insufficient Permissions or Privileges

Overview Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges incomplete revocation of API key permissions during the user demotion process. An attacker can maintain unauthorized access to upload-request management and log viewing endpoin...

Snyk•added 2026/03/05 8:42 p.m.•2 views

Improper Handling of Insufficient Permissions or Privileges

OSV•added 2026/03/05 8:42 p.m.•4 views

GHSA-Q658-HFPG-35QC Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion

Summary A privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management and log viewing endpoints after the user has been...

Snyk•added 2026/02/09 12:30 p.m.•1 views

Exploits0References4

Incorrect Use of Privileged APIs

Overview Affected versions of this package are vulnerable to Incorrect Use of Privileged APIs via insufficient permission checks in the getlog function. An authenticated user without log-viewing permissions can still access task execution logs containing sensitive operational data, debugging...

7.1CVSS5.8AI score0.00037EPSS

RedhatCVE•added 2026/01/23 9:15 p.m.•5 views

CVE-2025-68609

A vulnerability in Palantir's Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible...

6.6CVSS5.6AI score0.00033EPSS

CNNVD•added 2026/01/23 12:0 a.m.•1 views

ALGO 8180 IP Audio Alerter: Cross-site scripting vulnerability

ALGO 8180 IP Audio Alerter is an IP speaker developed by ALGO Corporation. The ALGO 8180 IP Audio Alerter has a cross-site scripting vulnerability. This vulnerability stems from the lack of validation of user input during the system log viewing function, which may lead to storage-based cross-site...

6.1CVSS5.9AI score0.00045EPSS

NVD•added 2026/01/22 7:15 p.m.•2 views

CVE-2025-68609

6.6CVSS0.00033EPSS

ATTACKERKB•added 2026/01/22 7:6 p.m.•1 views

CVE-2025-68609

6.6CVSS5.4AI score0.00033EPSS

Vulnrichment•added 2026/01/22 7:6 p.m.•2 views

CVE-2025-68609 Authentication bypass in Aries due to misconfiguration

6.6CVSS5.6AI score0.00033EPSS

CVE•added 2026/01/22 7:6 p.m.•4 views

CVE-2025-68609

The connected records confirm CVE-2025-68609 affects Palantir’s Aries service running on Apollo instances, with unauthenticated access to log viewing/management when default configuration is used. The root issue is a bypass of authentication and authorization checks, potentially enabling any netw...

6.6CVSS5.6AI score0.00033EPSS