Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

107 matches found

OSV
OSVadded last week5 views

GHSA-R9G5-7Q8J-958C FUXA provides guest and invalid-token access to protected read APIs in secure mode

Summary When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints. Confirmed behavior: - guest...

6.9CVSS5.9AI score
Exploits0References3
Github Security Blog
Github Security Blogadded last week8 views

FUXA provides guest and invalid-token access to protected read APIs in secure mode

Summary When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints. Confirmed behavior: - guest...

5.9AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologiesadded 2026/05/28 12:0 a.m.8 views

PT-2026-44733

Name of the Vulnerable Software and Affected Versions FUXA version 1.3.0-2773 Description When secureEnabled is set to true, the software fails to properly restrict access to protected read endpoints. Requests made without a token or with an invalid token are treated as guest contexts rather than...

6.9CVSS5.8AI score
Exploits0References6
Positive Technologies
Positive Technologiesadded 2026/05/27 12:0 a.m.2 views

PT-2026-44163

Summary The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled. Details File: server/api/projects/index.js javascript prjApp.get"/api/project", secureFnc, functionreq, res const permission = checkGroupsFncreq;...

7.5CVSS5.9AI score
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/04/30 6:23 p.m.4 views

CVE-2026-40603 Chartbrew: Incorrect Access Control in /api/project/dashboard/:brewName via same-team override

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does n...

6.5CVSS5.4AI score0.00036EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/04/30 6:23 p.m.1 views

CVE-2026-40603

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does n...

6.5CVSS5.3AI score0.00036EPSS
Exploits0References3
EUVD
EUVDadded 2026/04/30 6:23 p.m.3 views

EUVD-2026-26410

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does n...

6.5CVSS5.3AI score0.00036EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/04/30 12:0 a.m.3 views

PT-2026-36164

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...

8.1CVSS5.4AI score0.00036EPSS
Exploits0References3
RedhatCVE
RedhatCVEadded 2026/04/13 7:23 p.m.0 views

CVE-2026-32252

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:teamid/template/generate/:projectid. The GET handler calls checkAccessreq,...

7.7CVSS5.8AI score0.00033EPSS
Exploits1References1
NVD
NVDadded 2026/04/10 8:16 p.m.0 views

CVE-2026-32252

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:teamid/template/generate/:projectid. The GET handler calls checkAccessreq,...

7.7CVSS0.00033EPSS
Exploits1References2
ATTACKERKB
ATTACKERKBadded 2026/04/10 7:17 p.m.0 views

CVE-2026-32252

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:teamid/template/generate/:projectid. The GET handler calls checkAccessreq,...

7.7CVSS5.8AI score0.00033EPSS
Exploits1References3Affected Software1
CVE
CVEadded 2026/04/10 7:17 p.m.3 views

CVE-2026-32252

CVE-2026-32252 – Chartbrew : A cross-tenant authorization bypass exists in GET /team/:team_id/template/generate/:project_id prior to 4.9.0. The handler calls checkAccess(req, "updateAny", "chart") without awaiting the promise and does not verify the project_id belongs to the caller’s team. As a r...

7.7CVSS5.8AI score0.00033EPSS
Exploits1References2Affected Software1
Cvelist
Cvelistadded 2026/04/10 7:17 p.m.14 views

CVE-2026-32252 Chartbrew Cross-Tenant Template Export and Secret Disclosure in `GET /team/:team_id/template/generate/:project_id`

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:teamid/template/generate/:projectid. The GET handler calls checkAccessreq,...

7.7CVSS0.00033EPSS
Exploits1References2
Vulnrichment
Vulnrichmentadded 2026/04/10 7:17 p.m.2 views

CVE-2026-32252 Chartbrew Cross-Tenant Template Export and Secret Disclosure in `GET /team/:team_id/template/generate/:project_id`

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:teamid/template/generate/:projectid. The GET handler calls checkAccessreq,...

7.7CVSS5.8AI score0.00033EPSS
Exploits1References2
SUSE CVE
SUSE CVEadded 2026/03/28 12:25 a.m.1 views

SUSE CVE-2026-33315

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS5.8AI score0.00112EPSS
Exploits1References3
RedhatCVE
RedhatCVEadded 2026/03/26 3:9 p.m.1 views

CVE-2026-33315

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS5.8AI score0.00112EPSS
Exploits1References1
NVD
NVDadded 2026/03/24 3:16 p.m.5 views

CVE-2026-33315

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS0.00112EPSS
Exploits1References3
Cvelist
Cvelistadded 2026/03/24 2:53 p.m.16 views

CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS0.00112EPSS
Exploits1References3
CVE
CVEadded 2026/03/24 2:53 p.m.9 views

CVE-2026-33315

The connected GitHub Advisory (GHSA-47CR-F226-R4PQ) documents a 2FA bypass in Vikunja via Caldav Basic Authentication. It shows the Caldav login flow can authenticate with Basic Auth before 2FA checks, allowing access to project information (e.g., project name/description) for 2FA-enabled account...

6.9CVSS5.8AI score0.00112EPSS
Exploits1References3Affected Software1
OSV
OSVadded 2026/03/24 2:53 p.m.3 views

CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS6.3AI score0.00112EPSS
Exploits1References5
Rows per page
Query Builder