CZ Loan Management <= 1.1 - SQL Injection

The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. id: CVE-2024-5975 info: name: CZ Loan Management = 1.1 - SQL Injection author...

Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection

Team WordPress plugin = 5.0.11 contains a SQL injection caused by improper sanitization and escaping of a parameter in an AJAX action accessible to unauthenticated users, letting remote attackers execute arbitrary SQL commands. id: CVE-2025-14124 info: name: Team WordPress Plugin TLP Team = 5.0.9...

CVE-2026-52779

OpenProject prior to versions 17.3.3 and 17.4.1 contains a cross-project IDOR/authorization context confusion in the Calendar and Team Planner modules. A user with management permissions in one project can delete public Calendar or Team Planner Queries from another project where they lack corresp...

CVE-2026-52800

CVE-2026-52800 (Gogs) : In Gogs 0.14.1 and earlier, organization team management endpoints were reachable via GET requests with CSRF protection disabled for GET, enabling state-changing actions like adding a user to the Owners team without proper CSRF checks. If the victim is an organization owne...

CVE-2026-52800 Gogs: CSRF Leading to Organization Owner Takeover

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be add...

CVE-2026-52815

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/orgteam.go:8 returns all teams for any organization without requiring authentication. The route...

GHSA-744X-3838-5R56 Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API

Summary Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/orgteam.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the...

Gogs Vulnerable to CSRF Leading to Organization Owner Takeover

Summary In Gogs 0.14.1, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the...

GHSA-PWX3-QCGW-VH7H Gogs Vulnerable to CSRF Leading to Organization Owner Takeover

Summary In Gogs 0.14.1, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the...

CVE-2026-56212 Capgo - Improper 2FA Enforcement Logic via Team Security Settings

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's...

CVE-2026-56212

Capgo has a authentication logic flaw where a user who can manage team/organization security settings can enable mandatory 2FA for all members without validating their own 2FA status. This may lead to inconsistent security enforcement, administrative misuse, and potential lockout risk for team me...

CVE-2026-56212

Capgo before 12.128.2 contains an authentication logic flaw: a user with permission to manage team or organization security settings can enable mandatory two-factor authentication for all team members without first enabling 2FA on their own account. The application fails to verify the initiator's...

PT-2026-51042

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An authentication logic flaw exists where a user authorized to manage team or organization security settings can enforce mandatory two-factor authentication 2FA for all team members without having 2...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: Team: Replace the team lock with rtnl lock. Syszbot reports various ordering issues related to lower instance locks and team locks. It is recommended to use rtnl locks for protecting team devices, similar to bonding. This chan...

Astra Linux – Vulnerabilities in Linux, Linux-5.15, Linux-5.10

In the Linux kernel, the following vulnerability has been resolved: Networks: Fixed a stack overflow issue when LRO is disabled for virtual interfaces. When the features of a virtual interface are updated, the updated features are synchronized with its underlying interfaces. This synchronization...

Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1

In the Linux kernel, the following vulnerability has been resolved: Team: Fix null-ptr-deref when the team device type is changed. The null-ptr-deref bug occurs as follows with a reproducer 1. Bug: Kernel NULL pointer dereferencing. Address: 0000000000000228… … RIP:...

Mattermost Server 10.11.x < 10.11.14 / 11.5.x < 11.5.2 Vulnerability (MMSA-2025-00552)

The version of Mattermost Server installed on the remote host is affected by a vulnerability: - Mattermost fails to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members...

CVE-2026-46944

creationtimestamp| type| source ---|---|--- 2026-06-16 21:00:00+00:00| seen| https://www.govcert.gov.hk/en/alertsdetail.php?id=1923 2026-06-17 05:31:59+00:00| seen| https://www.acn.gov.it/portale/w/critical-patch-update-di-oracle-8 2026-06-18 15:37:06+00:00| seen|...

CVE-2026-48518

Affected software: MultiJuicer (versions 8.0.0–10.0.0) running on a central Kubernetes deployment. Vulnerability: CSRF in the team join endpoint (POST /multi-juicer/api/teams/{team}/join) that accepts any Content-Type, bypassing CORS preflight and enabling a cross-site form to force a victim to j...

lab-purple-team

Lab Purple Team - Active Directory !screenshots/wazuhsecu...