CVE-2026-40595

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. Th...

DEBIAN-CVE-2026-44836

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with publicsend. The code does not verify that the requested method is one of the preview...

DoS (Denial of Service) at commons-fileupload dependency in Crucible Server

This High severity DoS Denial of Service vulnerability was introduced in version 4.9.0 of Crucible Server. This DoS Denial of Service vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows an unauthenticated attacker to cause a resource to...

CVE-2026-42174 Kirby: User avatar creation, replacement and deletion are not gated by user update permissions

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patched in versions 4.9.0 and 5.4.0...

EUVD-2026-28887

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the /api/system endpoint. An attacker can obtain sensitive internal system information, such as installed version and license data, by sending authenticated requests to this endpoint without the required...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the authorization process. An attacker can gain unauthorized access to sensitive site, user, and role information by sending authenticated requests as a Panel user. This is only exploitable if the site is...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization inconsistent permission checks for pages.access, pages.list, files.access, and files.list in the Panel and REST API. An attacker can gain unauthorized access to content or sensitive information by exploiting...

CVE-2026-40595

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. Th...

CVE-2026-40603 Chartbrew: Incorrect Access Control in /api/project/dashboard/:brewName via same-team override

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does n...

CVE-2026-40601

Chartbrew 4.9.0 exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify chart ownership, report/public status, or sharing policy, allowing an unauthenticated attacker who knows a chart ID to trigger a data refresh and re...

CVE-2026-40601 Chartbrew: Missing Authorization in /api/chart/:chart_id/query via team-level refresh toggle

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chartid/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the...

CVE-2026-40600 Chartbrew: Incorrect Access Control in project share policy routes via unbound policy_id

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affect...

EUVD-2026-26411

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...

PT-2026-36163

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project's report data to any authenticated member of the same team, even when that user does n...

CVE-2026-32870

Kirby is an open-source content management system. Kirby's Xml::value method has special handling for blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check int...

CVE-2026-32870

Kirby is an open-source content management system. Kirby's Xml::value method has special handling for blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check int...

CVE-2026-32870 Kirby has XML injection in its XML creator toolkit

Kirby is an open-source content management system. Kirby's Xml::value method has special handling for blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check int...

Textpattern CMS 安全漏洞

Textpattern CMS is a content management system based on PHP developed by the Textpattern team. Version 4.9.0 of Textpattern CMS has a security vulnerability. This vulnerability stems from an access control flaw in the article management system, which may allow users with low privileges to modify...

CVE-2026-32252

CVE-2026-32252 – Chartbrew : A cross-tenant authorization bypass exists in GET /team/:team_id/template/generate/:project_id prior to 4.9.0. The handler calls checkAccess(req, "updateAny", "chart") without awaiting the promise and does not verify the project_id belongs to the caller’s team. As a r...