Apple macOS 安全漏洞

Apple macOS is a proprietary operating system developed by the American company Apple for Mac computers. Versions of Apple macOS prior to Sonoma 14.8.4 and Tahoe 26.3 contained security vulnerabilities due to authorization issues, which could allow applications to access sensitive user data...

GHSA-M983-7426-5HRJ Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Summary A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration. Details The vulnerable route is registered as a public endpoint:...

CVE-2026-33627

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery...

PT-2026-27585

Name of the Vulnerable Software and Affected Versions macOS versions prior to 15.7.5 macOS versions prior to 14.8.5 macOS versions prior to 26.4 Description An issue related to the handling of private data in log entries was identified. Specifically, an application could potentially access...

PT-2026-27577

Name of the Vulnerable Software and Affected Versions macOS versions prior to 26.4 Description An authorization issue exists due to improved state management. This could allow an application to access protected user data. Recommendations Update to macOS version 26.4...

PT-2026-27530

Name of the Vulnerable Software and Affected Versions macOS versions prior to 15.7.5 macOS versions prior to 14.8.5 macOS versions prior to 26.4 Description An application may be able to access user-sensitive data due to improved handling of symlinks. Recommendations Update macOS to version 15.7....

PT-2026-27633

Name of the Vulnerable Software and Affected Versions Ech0 versions prior to 4.2.0 Description The GET /api/allusers API endpoint is publicly accessible, allowing remote unauthenticated user enumeration and exposure of user profile metadata. The route is registered under public routes in...

Linux Distros Unpatched Vulnerability : CVE-2026-33192

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Free5GC is an open-source Linux Foundation project for 5th generation 5G mobile core networks. In versions prior to 1.4.2, the UDM incorrectly converts a...

CVE-2026-32300 Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41...

CVE-2026-32300

This CVE entry relates to Connect CMS (My Page Profile Update) with an improper authorization flaw that can allow an authenticated attacker to modify arbitrary user information (including passwords). Affected versions are 1.x up to 1.41.0 and 2.x up to 2.41.0. The vulnerability enables takeover o...

CVE-2026-23486

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4...

CVE-2026-23486 Blinko: Unauthorized User Information Leak

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, a publicly accessible endpoint exposes all user information, including usernames, roles, and account creation dates. This issue has been patched in version 1.8.4...

EUVD-2026-14576

Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information...

Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information

Security Advisory — My Page Profile Update Improper Authorization Summary An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1...

CVE-2026-33685 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/ADServer/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel...

CVE-2026-33685

WWBN AVideo up to version 26.0 exposes ad campaign analytics and related user data via unauthenticated access to plugin/AD_Server/reports.json.php. The HTML reports (reports.php) and CSV export (getCSV.php) enforce User::isAdmin(), but the JSON API lacked authentication/authorization checks, allo...

CVE-2026-33685 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/ADServer/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel...

CVE-2026-33685 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/ADServer/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel...

CVE-2025-10736

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to unauthorized access of data due to improper authorization checks on the userAccessibility function in all versions up to, and including, 2.2.10. This...

CVE-2025-10736

The CVE-2025-10736 entry concerns the WordPress plugin “ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More.” All versions up to 2.2.10 are affected due to improper authorization checks in the userAccessibility() function, allowing unauthentic...