Lucene search
K

296 matches found

Vulnrichment
Vulnrichment
added 2026/05/04 6:26 p.m.5 views

CVE-2026-42227 n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API...

6CVSS5.8AI score0.00203EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/04 6:26 p.m.36 views

CVE-2026-42227 n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API...

6CVSS0.00203EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/01 9:30 a.m.9 views

Incorrect Authorization

Overview keystone is a package that provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. Affected versions of this package are vulnerable to Incorrect Authorization in the POST /v3/credentials endpoint. An attacker...

8CVSS6AI score0.00446EPSS
Exploits1References2
NVD
NVD
added 2026/05/01 9:16 a.m.11 views

CVE-2026-43001

An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied projectid for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credentia...

8CVSS0.00446EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/05/01 12:0 a.m.35 views

CVE-2026-43001

An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied projectid for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted application credentia...

7.9CVSS0.00446EPSS
Exploits1References3
CVE
CVE
added 2026/05/01 12:0 a.m.18 views

CVE-2026-43001

CVE-2026-43001 affects OpenStack Keystone (versions 13–29) where POST /v3/credentials does not validate that the caller-supplied project_id for an EC2-type credential matches the authenticating application credential’s project. An attacker with an unrestricted app_cred for project A can create an...

8CVSS5.8AI score0.00446EPSS
Exploits1References6Affected Software1
NVD
NVD
added 2026/04/30 7:16 p.m.4 views

CVE-2026-40904

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...

8.1CVSS0.00235EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/30 6:20 p.m.29 views

CVE-2026-40904 Chartbrew: Incorrect Access Control in dataset and dataRequest routes via team-scoped permission checks

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...

8.1CVSS0.00235EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/30 6:20 p.m.3 views

CVE-2026-40904 Chartbrew: Incorrect Access Control in dataset and dataRequest routes via team-scoped permission checks

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...

8.1CVSS5.3AI score0.00235EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/30 12:0 a.m.10 views

chartbrew 访问控制错误漏洞

Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Version 4.9.0 of Chartbrew contains a access control vulnerability. This vulnerability arises from the fact that multiple dataset and data request endpoints are authorized only to project members wi...

8.1CVSS5.8AI score0.00235EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/29 9:21 p.m.12 views

n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure

Impact An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing...

6.5CVSS5.7AI score0.00203EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/29 9:21 p.m.13 views

GHSA-756Q-GQ9H-FP22 n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure

Impact An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing...

7.7CVSS5.8AI score0.00203EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/20 3:12 p.m.8 views

EUVD-2026-23870

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manageagendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...

6.5CVSS5.8AI score0.00174EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/20 12:0 a.m.11 views

PT-2026-33783

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manage agendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...

6.5CVSS5.8AI score0.00174EPSS
Exploits1References5
EUVD
EUVD
added 2026/04/10 7:20 p.m.3 views

EUVD-2026-20874

LXD: Importing a crafted backup leads to project restriction bypass...

9.1CVSS5.8AI score0.00424EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/03/26 4:56 p.m.6 views

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR

Summary Two independently-exploitable authorization flaws in Vikunja can be chained to allow an unauthenticated attacker to download and delete every file attachment across all projects in a Vikunja instance. The ReadAll endpoint for link shares exposes share hashes including admin-level shares t...

5.9AI score
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.3 views

CVE-2026-3306

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value...

5.3CVSS5.7AI score0.00321EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/25 9:17 p.m.4 views

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Summary TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads a different attachment that may belong to a task in another project. This allows...

8.1CVSS5.9AI score0.00265EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/25 9:17 p.m.3 views

GHSA-JFMM-MJCP-8WQ2 Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Summary TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads a different attachment that may belong to a task in another project. This allows...

8.1CVSS5.9AI score0.00265EPSS
Exploits1References4
Snyk
Snyk
added 2026/03/25 9:17 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the addRelatedTasksToTasks function. An attacker can obtain unauthorized access to sensitive task metadata from projects they do not have permission to view by reading tasks that have cross-project relations...

7.1CVSS5.9AI score0.0033EPSS
Exploits1References2
Rows per page
Query Builder