CVE-2026-30847

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

Incorrect Authorization

Overview grumpydictator/firefly-iii is a personal finances manager. Affected versions of this package are vulnerable to Incorrect Authorization via the index and show functions in the user management API endpoints, which lack proper role verification. An attacker can access sensitive information...

CVE-2026-30847

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

CVE-2026-30847

Summary : Wekan versions 8.31.0–8.33 are affected by an insecure publication in the notificationUsers publication, which returns complete user documents with no field filtering. This exposes highly sensitive fields (bcrypt password hashes, active session login tokens, email verification tokens, f...

CVE-2026-30847

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers call to return all fields including highly sensitive data such as bcrypt password...

GHSA-JC5M-WRP2-QQ38 Flowise Vulnerable to PII Disclosure on Unauthenticated Forgot Password Endpoint

Summary The /api/v1/account/forgot-password endpoint returns the full user object including PII id, name, email, status, timestamps in the response body instead of a generic success message. This exposes sensitive user information to unauthenticated attackers who only need to know a valid email...

GHSA-7X43-MPFG-R9WJ Craft CMS has IDOR via GraphQL @parseRefs

The GraphQL directive @parseRefs, intended to parse internal reference tags e.g., user:1:email, can be abused by both authenticated users and unauthenticated guests if a Public Schema is enabled to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs...

CVE-2026-0025

In hasImage of Notification.java, there is a possible way to reveal information across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0025

In hasImage of Notification.java, there is a possible way to reveal information across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2026-0025

In hasImage of Notification.java, there is a possible way to reveal information across users due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-59600

The CVE-2025-59600 issue relates to a memory corruption condition arising when adding user-provided data without validating available buffer space, described as a Buffer Over-read in Graphics. The root cause is unchecked buffer capacity during data submission, leading to memory corruption. Docume...

CVE-2025-59600 Buffer Over-read in Graphics

Memory Corruption when adding user-supplied data without checking available buffer space...

CVE-2025-52468 Chamilo: Stored XSS Vulnerability via CSV User Import

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows...

CVE-2025-50189 Chamilo: Error-based SQL Injection

Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resourcedocumentSQLINJECTIONHERE and POST login parameters found in /main/coursecopy/copycoursesessionselected.php, which allows an attack...

CVE-2026-28424

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...

Smoothwall Express Cross-Site Scripting Vulnerability (CNVD-2026-14283)

Smoothwall Express is Smoothwall open source a GNU/Linux-based firewall operating system . Smoothwall Express cross-site scripting vulnerability , the vulnerability stems from the hosts.cgi script in the IP, HOSTNAME or COMMENT parameter on the user-supplied data lack of effective filtering and...

Apple macOS Tahoe Information Disclosure Vulnerability (CNVD-2026-14995)

Apple macOS Tahoe is an operating system from the American company Apple. Apple macOS Tahoe suffers from an information disclosure vulnerability that can be exploited by attackers to access sensitive user data...

Apple macOS Tahoe Information Disclosure Vulnerability (CNVD-2026-14994)

Apple macOS Tahoe is an operating system from the American company Apple. Apple macOS Tahoe suffers from an information disclosure vulnerability that can be exploited by attackers to cause an application to access protected user data...

Apple macOS Information Disclosure Vulnerability (CNVD-2026-14974)

Apple macOS is a specialized operating system developed by Apple for Mac computers. Apple macOS has an information disclosure vulnerability that can be exploited by attackers to access sensitive user data...

Multiple Apple Products Information Disclosure Vulnerability (CNVD-2026-14496)

Apple iOS is an operating system developed for mobile devices.Apple macOS is a specialized operating system developed for Mac computers.Apple iPadOS is an operating system for iPad tablets. An information disclosure vulnerability exists in multiple Apple products, which can be exploited by an...