FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations

Summary The GET /api/project endpoint exposes sensitive project configuration data to guest-context requests even when secureEnabled is enabled. Details File: server/api/projects/index.js javascript prjApp.get"/api/project", secureFnc, functionreq, res const permission = checkGroupsFncreq;...

Exploit for CVE-2025-48757

cso-vibecheck Senior-CSO security audit skill for vibe-coded...

CVE-2026-33345

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/org/projects/project allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index...

CVE-2026-33345

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/org/projects/project allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index...

CVE-2026-33345

CVE-2026-33345 affects the open-source time-tracking app solidtime. Before v0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allowed any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member...

EUVD-2025-31562

Malicious code in bioql PyPI...

EUVD-2025-24076

Malicious code in bioql PyPI...

CVE-2025-10344 HTML injection in Perfex CRM

HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'clientid' at the endpoint '/projects/project/x'...

PT-2025-39817

Name of the Vulnerable Software and Affected Versions Perfex CRM version 3.2.1 Description An HTML injection issue exists in Perfex CRM version 3.2.1. This is due to insufficient validation of user-supplied data. An attacker can inject HTML code by sending a POST request to the /projects/project/...

CVE-2025-8796

A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/deleteproject/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack...

CVE-2025-8796 LitmusChaos Litmus Delete Request delete_project authorization

A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/deleteproject/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack...

PT-2024-18177 · Lunary Ai · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 0.3.0 Description: An Insecure Direct Object Reference IDOR vulnerability exists in the project update endpoint, allowing authenticated users to modify the name of any project within the system without proper...

PT-2024-20833 · Unknown · Task Manager App

Name of the Vulnerable Software and Affected Versions: Task Manager App version 1.0 Description: The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the projectID parameter at the "/TaskManager/EditProject.php" API endpoint. Recommendations: For Task...

PT-2022-21133 · Bytebase · Bytebase

Name of the Vulnerable Software and Affected Versions: Bytebase affected versions not specified Description: The Bytebase application does not restrict low privilege users from accessing admin projects, allowing unauthorized users to view projects created by Admin. The affected endpoint is...