CVE-2026-52800

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be add...

GHSA-QXVM-PCFM-QC39 Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles

Summary Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who ow...

CVE-2026-10855

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the...

CVE-2026-10855 MISP Event template importer authorization bypass

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the...

EUVD-2026-34259

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the...

CVE-2026-10855 MISP Event template importer authorization bypass

An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the...

PT-2026-46225

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An authorization flaw exists in the Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application verifies if a matching template exists but fai...

Flowise has IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration

Summary The Flowise platform has a critical Insecure Direct Object Reference IDOR vulnerability combined with a Business Logic Flaw in the PUT /api/v1/loginmethod endpoint. While the endpoint requires authentication, it fails to validate if the authenticated user has ownership or administrative...

EUVD-2024-32706

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, on...

CVE-2024-5389

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset...

CVE-2025-24365

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwardenrs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization in real case the user can be a part of the organization as an unprivileged user and be...

Vaultwarden 访问控制错误漏洞

Vaultwarden is an alternative implementation of the Bitwarden server API written in Rust by Daniel García Personal Developer. Vaultwarden suffers from an access control error vulnerability that stems from the fact that an attacker can gain ownership of another organization by knowing the victim...

CVE-2024-5389

In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset...

MongoDB Ops Manager Security Vulnerability

MongoDB Ops Manager is a solution from MongoDB, Inc. that supports the management, monitoring, and backup of MongoDB deployments. A security vulnerability exists in MongoDB Ops Manager versions prior to 5.0.22, 6.0.17, and 6.0.17, which originates from a user with Project Owner or Project User...