CVE-2026-41498 Kimai: Team API Missing Object-Level Authorization

Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use IsGranted'editteam' instead of IsGranted'edit', 'team', causing Symfony TeamVoter to abstain from voting. This removes entity-level ownership checks on team operations, allowing any user with th...

CVE-2025-41410 Slack import bypasses email verification for team access controls

Mattermost versions 10.10.x = 10.10.2, 10.5.x = 10.5.10, 10.11.x = 10.11.2 fail to validate email ownership during Slack import process which allows attackers to create verified user accounts with arbitrary email domains via malicious Slack import data to bypass email-based team access restrictio...