CVE-2026-41428

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...

CVE-2026-41278

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the...

Securly Chrome Extension contains multiple weak encryption and access control vulnerabilities

Overview Version 3.0.7 of the Securly Chrome Extension contains multiple vulnerabilities involving insecure data transmission, weak cryptography, and improper access control. These issues may expose sensitive filtering rules, enable the manipulation of downloaded configuration files, and allow...

CVE-2026-44262 Scramble: Remote code execution via evaluation of user-controlled input in validation rules

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of...

Ech0 comment model's Email field returned on public /api/comments endpoints

Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields IPHash, UserAgent correctly use json:"-". The public endpoints GET /api/comments?echoid=X and GET...

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the Email field in the Comment model exposed through unauthenticated public API endpoints. An attacker can obtain the email addresses of all guest commenters by makin...

CVE-2026-41428

Budibase (open-source low-code platform) before version 3.35.4 is affected. The authenticated middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against ctx.request.url, and because Koa’s ctx.request.url includes the query string, an attacker can include a ...

CVE-2026-41428

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...

Budibase 授权问题漏洞

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.35.4 contained an authorization vulnerability. This vulnerability stemmed from authenticated...

Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs

Summary The GET /api/v1/public-chatflows/:id endpoint returns the full chatflow object without sanitization for public chatflows. Docker validation revealed this is worse than initially assessed: the sanitizeFlowDataForPublicEndpoint function does NOT exist in the released v3.0.13 Docker image...

Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints

Summary The authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a query paramete...

Missing Authentication for Critical Function

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the authenticated middleware, which uses unanchored regular expressions to match public endpoint...

PT-2026-35071

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.35.4 Description The authenticated middleware uses unanchored regular expressions to match public endpoint patterns against the ctx.request.url variable. Because ctx.request.url in Koa includes the query string, an...

CVE-2026-39339 ChurchCRM has an API Authentication Bypass

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware ChurchCRM/Slim/Middleware/AuthMiddleware.php allows unauthenticated attackers to access all protected API endpoints by including "api/public" anywhere...

📄 Grafana 11.6.0 Server-Side Request Forgery

Grafana versions 11.2.0 through 11.6.0 suffer from a server-side request forgery vulnerability. Exploit Title: Grafana 11.6.0 - SSRF FOFA: app="Grafana" Date: 2-11-2025 Exploit Author: Beatriz Fresno Naumova Vendor Homepage: https://grafana.com/ Software Link: https://grafana.com/grafana/download...

Fireshare 路径遍历漏洞

Fireshare is a media hosting software developed by Shane Israel as an individual project. Versions of Fireshare prior to 1.5.3 contained a path traversal vulnerability. This vulnerability stemmed from the lack of fixes for unauthenticated/api/uploadchunked/public endpoints, allowing attackers to...

CVE-2026-33935 MyTube has Unauthenticated Account Lockout via Shared Login Attempt State

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...

Sylius has an Open Redirect via Referer Header

Impact CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. Th...

CVE-2026-31819

Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate...

GHSA-87X4-J8VH-P5QF Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure

Executive Summary A security vulnerability exists in the Plane project management platform that allows unauthenticated attackers to enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django RE...