CVE-2026-35462

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...

CVE-2026-35460

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected...

OPENSUSE-SU-2026:10759-1 python-Twisted-doc-26.4.0-1.1 on GA media

These are all security issues fixed in the python-Twisted-doc-26.4.0-1.1 package on the GA media of openSUSE Tumbleweed...

EUVD-2026-19657

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...

CVE-2026-35462 Papra Does Not Reject Expired API Keys

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...

EUVD-2026-19655

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...

CVE-2026-35461

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...

CVE-2026-35460

Papra (document management platform) is affected by an HTML injection in transactional emails prior to version 26.4.0, where user.display name is interpolated into email HTML without escaping. An attacker registering with a display name containing HTML could inject tags into verification and pass...

PT-2026-30854

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...

PT-2026-30853

Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected...

Papra 代码问题漏洞

Papra is an open-source document management and archiving platform developed by Papra. Versions of Papra prior to 26.4.0 contained code vulnerabilities. These vulnerabilities stemmed from the lack of verification of API keys with an expiresAt date during authentication. As a result, any API key...

Raml-Module-Builder SQL Injection Vulnerability

Raml-Module-Builder is a framework that allows the creation of modules based on RAML files. A SQL injection vulnerability exists in PostgresClient.update in Raml-Module-Builder version 26.4.0, which can be exploited by an attacker to execute illegal SQL commands...