Lucene search
K

15085 matches found

CVE
CVE
added 2026/06/29 8:12 p.m.19 views

CVE-2026-57498

CVE-2026-57498 affects Coolify. Before 4.0.0-beta.474, API controllers validated server ownership via Server::whereTeamId($teamId) for operations, but multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without team ownership validation. This enable...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/29 8:12 p.m.22 views

CVE-2026-57498 Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' Servers

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId$teamId before any operation. However, multiple Livewire web UI components accept...

9.6CVSS0.00223EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/29 2:28 p.m.6 views

WordPress Team Members – Multi Language Supported Team Plugin plugin <= 8.7 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by AveronSec - Averon Security in WordPress Plugin Team Member versions = 8.7...

4.4CVSS5.8AI score0.00212EPSS
Exploits0References1Affected Software1
Circl
Circl
added 2026/06/29 1:18 p.m.8 views

CERTFR-2026-ACT-028

creationtimestamp| type| source ---|---|--- 2026-06-29 13:18:55+00:00| seen| https://bsky.app/profile/cert-fr.bsky.social/post/3mpglahrxgg2r 2026-06-29 13:19:01+00:00| seen| https://social.numerique.gouv.fr/users/certfr/statuses/116833591913906031 2026-06-30 09:08:15+00:00| seen|...

5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.12 views

PT-2026-53734

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.474 Description Multiple Livewire web UI components fail to validate team ownership when processing server id and destination uuid passed via URL query parameters. While API controllers correctly use the...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.18 views

PT-2026-53749

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Server and project lookups are not scoped to the current team, which allows any...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References5
OSV
OSV
added 2026/06/26 8:30 p.m.2 views

GHSA-GM7F-V959-FR2G Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint

Summary The global policy read endpoint GET /api/latest/fleet/policies/policyid performs authorization against an empty fleet.Policy struct with nil TeamID, then fetches any policy by ID from the database without verifying the fetched policy actually belongs to the global scope. This allows a use...

4.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 8:30 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the GetPolicyByIDQueries process. An attacker can access policy data belonging to other teams by sending requests to the global policy read endpoint with valid credentials for any team, thereby bypassing...

5.3CVSS6AI score
Exploits0References2
NVD
NVD
added 2026/06/26 8:17 p.m.7 views

CVE-2026-52779

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS0.00185EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 7:2 p.m.15 views

CVE-2026-52779

OpenProject prior to versions 17.3.3 and 17.4.1 contains a cross-project IDOR/authorization context confusion in the Calendar and Team Planner modules. A user with management permissions in one project can delete public Calendar or Team Planner Queries from another project where they lack corresp...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:2 p.m.8 views

CVE-2026-52779

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/26 7:2 p.m.29 views

CVE-2026-52779 OpenProject: Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projects

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS0.00185EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.9 views

PT-2026-53001

Name of the Vulnerable Software and Affected Versions Fleet DM affected versions not specified Description An issue exists in the global policy read endpoint GET /api/latest/fleet/policies/policy id where authorization is performed against an empty structure with a nil TeamID. This allows the...

4.3CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.18 views

PT-2026-52910

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description An authorization context confusion and Insecure Direct Object Reference IDOR exist within the Calendar and Team Planner modules. A user with management...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References3
CVE
CVE
added 2026/06/24 8:18 p.m.15 views

CVE-2026-52800

CVE-2026-52800 (Gogs) : In Gogs 0.14.1 and earlier, organization team management endpoints were reachable via GET requests with CSRF protection disabled for GET, enabling state-changing actions like adding a user to the Owners team without proper CSRF checks. If the victim is an organization owne...

8.8CVSS5.9AI score0.00248EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 8:18 p.m.25 views

CVE-2026-52800 Gogs: CSRF Leading to Organization Owner Takeover

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be add...

8.8CVSS0.00248EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/24 8:1 p.m.6 views

CVE-2026-52815

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/orgteam.go:8 returns all teams for any organization without requiring authentication. The route...

6.9CVSS5.9AI score0.01553EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/23 5:13 p.m.3 views

GHSA-744X-3838-5R56 Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API

Summary Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/orgteam.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the...

6.9CVSS5.8AI score0.01553EPSS
Exploits0References5
OSV
OSV
added 2026/06/23 12:2 a.m.1 views

GHSA-PWX3-QCGW-VH7H Gogs Vulnerable to CSRF Leading to Organization Owner Takeover

Summary In Gogs 0.14.1, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/23 12:2 a.m.10 views

Gogs Vulnerable to CSRF Leading to Organization Owner Takeover

Summary In Gogs 0.14.1, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder