CVE-2026-40480

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

CVE-2025-15623

Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations...

CVE-2026-33477 FileRise has incorrect authorization in /api/file/snippet.php allows read_own users to read other users’ file content

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint /api/file/snippet.php allows an authenticated user with only readown access to a folder to retrieve snippet content from files upload...

CVE-2026-33180

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP...

HAPI FHIR 信息泄露漏洞

HAPI FHIR is an open-source Java-based HL7 FHIR API developed by HAPI FHIR. Versions of HAPI FHIR prior to 6.9.0 contained a vulnerability related to information leakage. This vulnerability occurred because the internal HTTP client, when setting HTTP request headers, sent the same set of headers ...

CVE-2026-32736 Hytale Modding Wiki has Insecure Direct Object Reference / GDPR PII Exposure

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference IDOR vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated...

GHSA-P7M9-V2CM-2H7M HAPI FHIR HTTP authentication leak in redirects

Impact When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of...

CVE-2026-27835

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...

SUSE CVE-2026-24735

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or...

CVE-2026-25758

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to...

CVE-2025-54373

OpenEMR (open source EHR/PM) versions prior to 7.0.4 contain a data exposure vulnerability where contents of Clinical Notes and Care Plans with Sensitivity=high could be viewed and changed by users lacking high-sensitivity privileges. The issue is fixed in 7.0.4 (per CVE descriptions and Red Hat/...

CVE-2026-22246

Mastodon vulnerability (CVE-2026-22246): In 4.3, the severed-relationships notification feature allowed inspecting lost relationships, but the code that downloads lists of severed relationships did not verify the list owner. As a result, any registered local user could enumerate and access the se...

BIT-MOODLE-2025-62400 Moodle: hidden group names visible to event creators

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information...

CVE-2025-62400 Moodle: hidden group names visible to event creators

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information...

CVE-2025-62400

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information...

CVE-2025-53950

An Exposure of Private Personal Information 'Privacy Violation' vulnerability CWE-359 in Fortinet FortiDLP Agent's Outlookproxy plugin for MacOS and Windows 11.5.1 and 11.4.2 through 11.4.6 and 11.3.2 through 11.3.4 and 11.2.0 through 11.2.3 and 11.1.1. through 11.1.2 and 11.0.1 and 10.5.1 and...

Linux Distros Unpatched Vulnerability : CVE-2025-54799

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Let's Encrypt client and ACME library written in Go Lego. In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package thus the lego library an...

Apple iOS和iPadOS 安全漏洞

Apple iOS and Apple iPadOS are products of Apple Inc.Apple iOS is an operating system developed for mobile devices.Apple iPadOS is an operating system for iPad tablets.Apple iOS and iPadOS are products of Apple Inc.Apple iOS is an operating system developed for mobile devices.Apple iPadOS is an...

UBUNTU-CVE-2023-5545

H5P metadata automatically populated the author with the user's username, which could be sensitive information...

Open-Xchange OX App Suite 信息泄露漏洞

Open-Xchange OX App Suite is an email and productivity suite client software from Open-Xchange Germany. An information disclosure vulnerability exists in Open-Xchange OX App Suite version 7.10.6-rev23. An attacker could exploit the vulnerability to view user privacy...