CVE-2026-44671 ZITADEL: LDAP Filter Injection in Login Flow

ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allo...

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. There is a security vulnerability in Apache Airflow, wher...

Cross-site Scripting (XSS)

Angular is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to internationalization of security-sensitive attributes bypassing Angular’s sanitization when combined with untrusted data binding, which allows an attacker to inject malicious scripts...

CVE-2026-33369

Zimbra Collaboration ZCS 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction operation. The application fails to properly sanitize user-supplied input before incorporating it into an LDAP search filter. An authenticated attacker can exploit thi...

CVE-2026-33369

Zimbra Collaboration ZCS 10.0 and 10.1 contains an LDAP injection vulnerability in the Mailbox SOAP service within a FolderAction operation. The application fails to properly sanitize user-supplied input before incorporating it into an LDAP search filter. An authenticated attacker can exploit thi...

GHSA-G93W-MFHG-P222 Angular vulnerable to XSS in i18n attribute bindings

A Cross-Site Scripting XSS vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute for example href on an anchor tag together with Angular's ability to internationalize attributes. Enabling internationalization for...

Missing Authorization

craftcms/cms is vulnerable to Missing Authorization. The vulnerability is due to missing authorization checks in the GraphQL @parseRefs directive, which allows an attacker to access sensitive attributes of CMS elements without proper permissions...

EUVD-2025-208340

Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the...

CVE-2026-28696

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive...

CVE-2026-28696

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive...

PT-2026-22948

Name of the Vulnerable Software and Affected Versions Craft versions prior to 4.17.0-beta.1 and versions prior to 5.9.0-beta.1 Description Craft is a content management system CMS that contains a flaw in the GraphQL directive @parseRefs. This directive, designed to parse internal reference tags,...

org.keycloak.services.resources.admin: Keycloak: Limited administrator can retrieve sensitive user attributes via Admin API

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...

GHSA-G78X-7VWX-9F58 Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...

Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...

CVE-2025-13881

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...

CVE-2025-13881

A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...

CVE-2025-13881

The CVE-2025-13881 entry describes a vulnerability in the Keycloak Admin API where an administrator with limited privileges can retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. Affected software is Keycloak Admin API (details ...

CVE-2026-21880

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below have an LDAP Injection vulnerability in the LDAP authentication mechanism. User-supplied input is directly substituted into LDAP search filters without proper sanitization, allowing attackers to...

An Algorithmic Pipeline for GDPR-Compliant Healthcare Data Anonymisation: Moving toward Standardisation

High-quality real-world data RWD is essential for healthcare but must be transformed to comply with the General Data Protection Regulation GDPR. GDPRs broad definitions of quasi-identifiers QIDs and sensitive attributes SAs complicate implementation. We aim to standardise RWD anonymisation for GD...

CVE-2020-25720 Samba: check attribute access rights for ldap adds of computers

A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator...