28667 matches found
CVE-2026-33345
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/org/projects/project allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index...
CVE-2026-33345
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/org/projects/project allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index...
EUVD-2026-14996
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/org/projects/project allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index...
CVE-2026-33345
CVE-2026-33345 affects the open-source time-tracking app solidtime. Before v0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allowed any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member...
Mass-Mirai-IoT-Exploit
Fiber β Mass Mirai IoT Exploit Languages: Englishengl...
CVE-2026-33401
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 CVE-2026-30840 added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI...
EUVD-2026-14938
Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations...
Denial of Service (DoS)
Overview Affected versions of this package are vulnerable to Denial of Service DoS via the HandleAuthenticationFailure function of the AMF component. An attacker can cause the service to become unavailable by sending specially crafted requests remotely. Details Denial of Service DoS describes a...
CVE-2026-33676
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...
CVE-2026-33700 Vikunja has a Link Share Delete IDOR β Missing Project Ownership Check Allows Cross-Project Link Share Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...
CVE-2026-33700 Vikunja has a Link Share Delete IDOR β Missing Project Ownership Check Allows Cross-Project Link Share Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...
CVE-2026-33700
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...
CVE-2026-33700
Summary: Vikunja before 2.2.1 had an IDOR on link share deletion. The vulnerable endpoint is DELETE /api/v1/projects/:project/shares/:share, which did not verify that the link share belongs to the project in the URL. An admin of any project could delete link shares from other projects by supplyin...
CVE-2026-33700 Vikunja has a Link Share Delete IDOR β Missing Project Ownership Check Allows Cross-Project Link Share Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...
CVE-2026-33678
Vikunja prior to 2.2.1 suffers an IDOR: TaskAttachment.ReadOne() queries by attachment ID only and ignores the URL task_id, allowing any authenticated user to access or delete attachments across projects by supplying their own task_id. The read path validates the URL task, but ReadOne() loads the...
CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...
CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations β Missing Authorization Check on Related Task Read
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...
CVE-2026-33676
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...