Lucene search
K

198 matches found

CVE
CVE
added yesterday9 views

CVE-2026-58372

SeaweedFS prior to 4.34 is affected by a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler. Authenticated S3 principals with write access to a single bucket can delete arbitrary objects in other tenants’ buckets by sending object keys containing ../ in the DeleteObjects ...

8.1CVSS5.9AI score
Exploits0References6
NVD
NVD
added 2 days ago8 views

CVE-2026-57956

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS0.00177EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-40141

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS5.8AI score0.00177EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-57956 SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules...

6.4CVSS0.00177EPSS
Exploits0References2
CVE
CVE
added 2 days ago11 views

CVE-2026-57956

SigNoz

6.4CVSS5.8AI score0.00177EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 5 days ago4 views

CVE-2026-53577

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint GET /api/v1/tenant/executions/executionId/file/preview contains an access control bypass that allows any authenticated user to read output files from any other executio...

6.5CVSS5.9AI score0.00268EPSS
Exploits0References2Affected Software1
NVD
NVD
added 5 days ago7 views

CVE-2026-49991

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely...

8.6CVSS0.00273EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago11 views

PT-2026-52909

Name of the Vulnerable Software and Affected Versions RustFS version 1.0.0-beta.4 Description Authenticated users with PutObject permission on their own bucket can exploit a path traversal issue in the Snowball auto-extract feature to write arbitrary objects into buckets belonging to other users,...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References4
CVE
CVE
added last week9 views

CVE-2026-52812

CVE-2026-52812 affects Gogs (open source self-hosted Git service) prior to 0.14.3. The vulnerability stems from a dedupe path in LFS storage: when an OID file already exists on disk, serveUpload bypasses hash verification and inserts a new per-repo binding (repo_id, oid) without confirming that t...

7.1CVSS5.9AI score0.00236EPSS
Exploits0References4
CVE
CVE
added last week4 views

CVE-2026-56231

Capgo prior to 12.128.2 contains a broken object level authorization (BOLA) in build endpoints: POST /build/start/:jobId and POST /build/cancel/:jobId. The handlers validate only the attacker-controlled app_id in the request body and fail to verify that the URL jobId belongs to the same app/tenan...

7.6CVSS6.1AI score0.00176EPSS
Exploits0References2
NVD
NVD
added 2026/06/20 4:17 p.m.12 views

CVE-2026-56319

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...

5.3CVSS0.00187EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/20 3:24 p.m.28 views

CVE-2026-56319 Capgo - App Existence Oracle via GET /statistics/app/:app_id

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...

5.3CVSS0.00187EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/20 3:24 p.m.9 views

EUVD-2026-38125

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References2
CVE
CVE
added 2026/06/20 3:24 p.m.16 views

CVE-2026-56319

CVE-2026-56319 affects Capgo prior to 12.128.2. The issue is an information disclosure in GET /statistics/app/:app_id that lets app-limited API keys distinguish existing sibling app IDs by observing differential error responses (500 PGRST116 for inaccessible apps vs 401 for nonexistent apps), bre...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/20 12:0 a.m.12 views

PT-2026-51157

Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An information disclosure issue exists in the 'GET /statistics/app/:app id' endpoint. This allows users with app-limited API keys to identify existing sibling app IDs by analyzing differential error...

5.3CVSS5.9AI score0.00187EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.13 views

PT-2026-51109

Summary OpenBao users with access to the sys/leases/revoke/:lease id endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations. Impact OpenBao's namespaces provide...

2.1CVSS5.8AI score
Exploits0References7
EUVD
EUVD
added 2026/06/15 9:55 p.m.7 views

EUVD-2026-37013

Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In...

7.6CVSS5.3AI score0.00273EPSS
Exploits0References4
NVD
NVD
added 2026/06/15 8:16 p.m.7 views

CVE-2026-50875

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

8.1CVSS0.00282EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.14 views

PT-2026-49316

Name of the Vulnerable Software and Affected Versions Deck9 Input version 2.0.1 Description Incorrect access control in the "/form/webhooks/webhook" endpoint allows authenticated attackers to arbitrarily modify or delete webhooks belonging to other tenants by sending a crafted request...

8.1CVSS5.9AI score0.00282EPSS
Exploits0References4
CVE
CVE
added 2026/06/15 12:0 a.m.16 views

CVE-2026-50875

CVE-2026-50875 affects Deck9 Input v2.0.1: the /{form}/webhooks/{webhook} endpoint has incorrect access control, enabling authenticated attackers to modify or delete another tenant’s webhook via a crafted request. CVSS 3.1 base score 8.1 (HIGH): Network, Low attack complexity, Privileges required...

8.1CVSS5.3AI score0.00282EPSS
Exploits0References1
Rows per page
Query Builder