Lucene search
+L

2033 matches found

NVD
NVD
added yesterday6 views

CVE-2026-63101

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint whic...

8.7CVSS
Exploits0References2
EUVD
EUVD
added yesterday6 views

EUVD-2026-45173

A flaw was found in the organization management component of Keycloak. A delegated administrator with permission to manage organizations can create an invitation for a non-existent email address and then retrieve the secret registration link directly through the application programming interface...

4.9CVSS5.3AI score
Exploits0References2
Cvelist
Cvelist
added 3 days ago36 views

CVE-2026-52892 Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalation via read-level authz on write ops)

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess for mutating custom-field routes. A read-only board member can call POST,...

6.5CVSS0.00259EPSS
Exploits0References3
NVD
NVD
added 3 days ago7 views

CVE-2026-61440

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...

7.1CVSS0.00213EPSS
Exploits0References3
CVE
CVE
added 3 days ago6 views

CVE-2026-61440

CVE-2026-61440 affects the PraisonAI Platform prior to 0.1.9. The issue is an authorization flaw in label and issue-label mutations that lets workspace members with basic privileges rename and recolor shared labels and add/remove labels on owner-created issues. The root cause is improper authoriz...

7.1CVSS6.1AI score0.00213EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-44644

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...

7.1CVSS6.1AI score0.00213EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago34 views

CVE-2026-61440 PraisonAI Platform before 0.1.9 Authorization Bypass via Label Endpoints

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...

7.1CVSS0.00213EPSS
Exploits0References3
OSV
OSV
added 3 days ago6 views

CVE-2026-61440 PraisonAI Platform before 0.1.9 Authorization Bypass via Label Endpoints

PraisonAI Platform before 0.1.9 fails to properly authorize label and issue-label mutations, allowing workspace members to rename and recolor shared labels and add or remove labels on owner-created issues. Attackers with workspace member privileges can exploit PATCH and POST/DELETE endpoints to...

7.1CVSS6.1AI score0.00213EPSS
Exploits0References5
OSV
OSV
added 5 days ago6 views

CVE-2026-58408 ChurchCRM : Broken Access Control in `CSVCreateFile.php` Allows Low-Privileged Users to Export All Members' PII

ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information...

6.5CVSS6.1AI score0.00217EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago8 views

EUVD-2026-43311

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to restrict the groupconstrained channel flag to public and private channels that support group synchronization, which allows an ordinary group or direct message member to remove all participants from the conversation v...

5.4CVSS6.1AI score0.0017EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/11 1:1 p.m.38 views

CVE-2026-61442 PraisonAI Platform before 0.1.9 Authorization Bypass via PATCH

PraisonAI Platform praisonai-platform before 0.1.9 fails to enforce owner/admin authorization on the PATCH routes for projects, issues, and agents, which only require workspace-member role. A workspace member can modify owner-created records; for projects, a member can reassign leadid to their ow...

7.1CVSS0.00256EPSS
Exploits0References3
NVD
NVD
added 2026/07/11 4:17 a.m.6 views

CVE-2026-12426

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the membersfilterprotectedpostsforrest. This makes it possible for unauthenticated attackers to extract determine the existence...

5.3CVSS0.00273EPSS
Exploits0References6
CVE
CVE
added 2026/07/11 2:31 a.m.16 views

CVE-2026-12426

The CVE-2026-12426 affects the WordPress plugin Members – Membership & User Role Editor, up to version 3.2.22. The vulnerability enables unauthenticated attackers to perform sensitive information exposure via the REST API pagination side channel, using the members_filter_protected_posts_for_rest ...

5.3CVSS6.1AI score0.00273EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/11 2:31 a.m.6 views

EUVD-2026-43125

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the membersfilterprotectedpostsforrest. This makes it possible for unauthenticated attackers to extract determine the existence...

5.3CVSS6.1AI score0.00273EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/11 2:31 a.m.31 views

CVE-2026-12426 Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Pagination Side Channel

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the membersfilterprotectedpostsforrest. This makes it possible for unauthenticated attackers to extract determine the existence...

5.3CVSS0.00273EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/07/10 2:7 p.m.5 views

WordPress Members plugin <= 3.2.22 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by an unknown individual in WordPress Plugin Members versions = 3.2.22...

5.3CVSS6.1AI score0.00273EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/07/09 5:17 p.m.6 views

CVE-2026-59222

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6.5CVSS0.00265EPSS
Exploits1References3
EUVD
EUVD
added 2026/07/09 4:59 p.m.7 views

EUVD-2026-42631

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6CVSS5.9AI score0.00265EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/07/09 4:59 p.m.7 views

CVE-2026-59222

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6CVSS5.9AI score0.00265EPSS
Exploits1References4Affected Software1
Cvelist
Cvelist
added 2026/07/09 4:59 p.m.33 views

CVE-2026-59222 Open WebUI: /api/v1/channels/{id}/members exposes full user model including sensitive credentials

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.7.0 before 0.10.0, GET /api/v1/channels//members returned full UserModelResponse objects for channel members, including settings.ui.toolServers.key and webhook configuration, allowing a normal channel...

6CVSS0.00265EPSS
Exploits1References3
Rows per page
Query Builder