Lucene search
+L

619 matches found

euvd
euvd
added 2026/03/29 6:30 p.m.5 views

EUVD-2026-17039

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...

8.3CVSS7AI score0.00268EPSS
Exploits1References3
pypa
pypa
added 2026/03/29 6:16 p.m.9 views

PYSEC-0000-CVE-2026-0562

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...

8.3CVSS7.3AI score0.00268EPSS
Exploits1References3Affected Software1
cvelist
cvelist
added 2026/03/29 5:49 p.m.30 views

CVE-2026-0562 Insecure Direct Object Reference (IDOR) in parisneo/lollms

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...

8.3CVSS0.00268EPSS
Exploits1References2
cve
cve
added 2026/03/29 5:49 p.m.22 views

CVE-2026-0562

CVE-2026-0562 affects parisneo/lollms up to version 2.2.0. The vulnerability is an IDOR in the respond_request() flow at /api/friends/requests/{friendship_id}, where the authenticated user is not checked for membership in the friendship or for being the intended recipient. As described in Red Hat...

8.3CVSS7AI score0.00268EPSS
Exploits1References3Affected Software1
susecve
susecve
added 2026/03/28 12:25 a.m.7 views

SUSE CVE-2026-33313

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, an authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...

5.3CVSS5.9AI score0.00254EPSS
Exploits0References3
susecve
susecve
added 2026/03/28 12:24 a.m.4 views

SUSE CVE-2026-33680

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...

7.5CVSS5.9AI score0.00398EPSS
Exploits1References3
cvelist
cvelist
added 2026/03/25 4:14 p.m.25 views

CVE-2026-25458 WordPress Moments theme <= 2.2 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affects Moments: from n/a through = 2.2...

8.1CVSS0.00403EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/03/25 4:14 p.m.3 views

CVE-2026-25344 WordPress Review Schema plugin <= 2.2.6 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme Review Schema review-schema allows Retrieve Embedded Sensitive Data.This issue affects Review Schema: from n/a through = 2.2.6...

5.8AI score0.0027EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/03/25 4:14 p.m.2 views

CVE-2026-23807 WordPress WP Telegram Widget and Join Link plugin <= 2.2.13 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.This issue affects WP Telegram Widget and Join Link: from n/a through = 2.2.13...

7.1CVSS5.8AI score0.00175EPSS
Exploits0References1
cnnvd
cnnvd
added 2026/03/25 12:0 a.m.7 views

Tesseract 安全漏洞

Tesseract is an OCR image text recognition library developed by Nazim Gafarov for a Node.js platform. Versions of Tesseract 2.2.1 and earlier contained security vulnerabilities, which were caused by unvalidated file path parameters, potentially leading to OS command injection attacks...

9.8CVSS5.8AI score0.01706EPSS
Exploits3References4
cnnvd
cnnvd
added 2026/03/25 12:0 a.m.9 views

WordPress plugin Remoji 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

7.1CVSS5.8AI score0.00175EPSS
Exploits0References1
nvd
nvd
added 2026/03/24 4:16 p.m.5 views

CVE-2026-33668

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...

8.1CVSS0.00453EPSS
Exploits1References6
osv
osv
added 2026/03/24 3:35 p.m.7 views

CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

6.5CVSS6.4AI score0.0033EPSS
Exploits1References6
osv
osv
added 2026/03/24 3:30 p.m.6 views

CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...

7.1CVSS6.3AI score0.00453EPSS
Exploits1References8
attackerkb
attackerkb
added 2026/03/24 3:21 p.m.3 views

CVE-2026-33474

Vikunja is an open-source self-hosted task management platform. Starting in version 1.0.0-rc0 and prior to version 2.2.0, unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Version...

6.5CVSS5.8AI score0.00318EPSS
Exploits1References3Affected Software1
cvelist
cvelist
added 2026/03/24 3:7 p.m.19 views

CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...

6.4CVSS0.00248EPSS
Exploits1References2
osv
osv
added 2026/03/24 3:7 p.m.6 views

CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...

6.4CVSS6AI score0.00248EPSS
Exploits1References4
vulnrichment
vulnrichment
added 2026/03/24 2:53 p.m.6 views

CVE-2026-33315 Vikunja has a 2FA Bypass via Caldav Basic Auth

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.0, the Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References3
cvelist
cvelist
added 2026/03/23 7:15 p.m.29 views

CVE-2026-33548 MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline

Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline myviewpage.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has...

8.6CVSS0.00196EPSS
Exploits0References2
cnnvd
cnnvd
added 2026/03/23 12:0 a.m.7 views

WordPress plugin ReviewX 授权问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

6.5CVSS5.8AI score0.00171EPSS
Exploits0References2
Rows per page
Query Builder