CVE-2026-33872

CVE-2026-33872 affects elixir-nodejs prior to 3.1.4. A race condition in the worker protocol enables Cross-User Data Leakage due to lack of request–response correlation, potentially returning data intended for a different user in high‑throughput/ concurrent scenarios. The vulnerability can disclo...

CVE-2026-33872 elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition

elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response"...

CVE-2026-34362 AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the verifyTokenSocket function in plugin/YPTSocket/functions.php has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows...

CVE-2021-27382

A vulnerability has been identified in Solid Edge SE2020 All versions SE2020MP13, Solid Edge SE2020 All versions SE2020MP14, Solid Edge SE2021 All Versions SE2021MP4. Affected applications lack proper validation of user-supplied data when parsing of PAR files. This could result in a stack based...

CVE-2021-27401

The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access view and modify user data by executing arbitrary code due to insufficient input validation, aka Cross-Site Scripting XSS...

CVE-2021-27397

A vulnerability has been identified in Tecnomatix Plant Simulation All versions V16.0.5. The PlantSimCore.dll library lacks proper validation of user-supplied data when parsing SPP files. This could result in a memory corruption condition. An attacker could leverage this vulnerability to execute...

CVE-2021-27496

Datakit Software libraries CatiaV53dRead, CatiaV63dRead, Step3dRead, Ug3dReadPsr, Jt3dReadPsr modules in KeyShot Versions v10.1 and prior lack proper validation of user-supplied data when parsing PRT files. This could lead to pointer dereferences of a value obtained from an untrusted source. An...

CVE-2025-13478 Cache Misconfiguration Leading to Cross-User Data Exposure

Cache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2v4.10.1...

CVE-2025-13478

CVE-2025-13478 affects OpenText Identity Manager on Windows and Linux (Identity Manager: 25.2 v4.10.1). The issue is a cache misconfiguration where insecure application cache handling allows remote authenticated users to obtain another user’s session data. Impact per available docs: potential exp...

CVE-2026-33638

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

CVE-2026-33638

CVE-2026-33638 (Ech0) : Prior to version 4.2.0, the public endpoint GET /api/allusers exposes user records without authentication, enabling remote unauthenticated user enumeration and exposure of user profile metadata. The issue is in the internal/router handling of /api/allusers. A fix is availa...

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the /api/allusers endpoint. An attacker can access sensitive user information by sending requests to this publicly accessible API endpoint. Remediation Upgrade github.com/lin-snow/ech0/internal/router to versio...

GHSA-CVH3-23VQ-W7H4 Statamic's Markdown preview endpoint exposes sensitive user data

Impact The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the markdown preview endpoint. An attacker can access sensitive user data, including email addresses and encrypted authentication information, by manipulating the endpoint to return augmented data from...

Statamic's Markdown preview endpoint exposes sensitive user data

Impact The markdown preview endpoint could be manipulated to return augmented data from arbitrary fieldtypes. With the users fieldtype specifically, an authenticated control panel user could retrieve sensitive user data including email addresses, encrypted passkey data, and encrypted two-factor...

CVE-2026-20632

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Tahoe 26.4. An app may be able to access sensitive user data...

CVE-2026-20694

This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Sequoia 15.7.4, macOS Sequoia 15.7.5, macOS Sonoma 14.8.4, macOS Sonoma 14.8.5, macOS Tahoe 26.3, macOS Tahoe 26.4. An app may be able to access user-sensitive data...

CVE-2026-20670

An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.8.4, macOS Tahoe 26.3. An app may be able to access sensitive user data...

CVE-2026-20607

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, macOS Tahoe 26.4. An app may be able to access protected user data...