Lucene search
+L

30 matches found

cve
cve
added 2026/06/26 7:27 p.m.12 views

CVE-2026-44736

OpenProject vulnerability CVE-2026-44736 affects the OpenProject web-based project management platform. The flaw exists in the GET /api/v3/relations endpoint prior to version 17.4.0, allowing any authenticated user to retrieve relations and the titles of work packages they should not have permiss...

6.5CVSS5.9AI score0.00286EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/26 7:27 p.m.24 views

CVE-2026-44736 OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Package Subjects

OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject title of work packages they have no permission to view — by supplying an arbitrary work package ID in the...

6.5CVSS0.00286EPSS
Exploits0References1
osv
osv
added 2026/06/26 7:27 p.m.4 views

CVE-2026-44736 OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Package Subjects

OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject title of work packages they have no permission to view — by supplying an arbitrary work package ID in the...

6.5CVSS6.1AI score0.00286EPSS
Exploits0References3
osv
osv
added 2026/06/26 7:1 p.m.4 views

CVE-2026-47193 OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1...

7.5CVSS5.9AI score0.00252EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/26 7:1 p.m.31 views

CVE-2026-47193 OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1...

7.5CVSS0.00252EPSS
Exploits0References1
osv
osv
added 2026/06/16 9:31 p.m.6 views

GHSA-6JM4-83G2-35GV Duplicate Advisory: memory-wiki shared search could miss session visibility checks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-72fw-cqh5-f324. This link is maintained to preserve external references. Original DescriptionOpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows...

6.5CVSS5.3AI score0.0021EPSS
Exploits0References4
nvd
nvd
added 2026/06/16 7:17 p.m.14 views

CVE-2026-53844

OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that shoul...

6.5CVSS0.0021EPSS
Exploits0References2
cve
cve
added 2026/06/16 6:4 p.m.30 views

CVE-2026-53844

OpenClaw vulnerability CVE-2026-53844 affects OpenClaw prior to version 2026.4.29, involving a session visibility check bypass in the shared memory search path. The issue enables authenticated callers to skip session visibility guards and access memory entries that should not be visible to their ...

6.5CVSS5.3AI score0.0021EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/06/16 6:4 p.m.5 views

CVE-2026-53844 OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search

OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that shoul...

6CVSS6AI score0.0021EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/16 12:0 a.m.19 views

PT-2026-49761

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.29 Description A session visibility check bypass exists in the shared memory search of the memory-wiki feature. This allows authenticated callers to skip session visibility guards on the search path, enabling...

6.5CVSS5.2AI score0.0021EPSS
Exploits0References5
vulnrichment
vulnrichment
added 2026/04/23 9:58 p.m.5 views

CVE-2026-41350 OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations

OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the sessionstatus function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke sessionstatus without sandbox constraints to bypass session-policy...

5.3CVSS5.2AI score0.00199EPSS
Exploits0References3
cve
cve
added 2026/04/23 9:58 p.m.23 views

CVE-2026-41350

CVE-2026-41350 affects OpenClaw prior to 2026.3.31, where the session_status function fails to enforce tools.sessions.visibility restrictions for unsandboxed invocations. This allows attackers to invoke session_status without sandbox constraints, bypassing session-policy controls and accessing re...

5.3CVSS5.8AI score0.00199EPSS
Exploits0References3Affected Software1
cnnvd
cnnvd
added 2026/04/23 12:0 a.m.13 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities were due to a session visibility bypass vulnerability. The sessionstatus function did not enforce the configured...

5.3CVSS5.8AI score0.00199EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/04/23 12:0 a.m.13 views

PT-2026-34781

OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session status without sandbox constraints to bypass session-policy...

5.3CVSS5.8AI score0.00199EPSS
Exploits0References5
cvelist
cvelist
added 2026/04/21 5:6 p.m.51 views

CVE-2026-41190 FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when APPSHOWONLYASSIGNEDCONVERSATIONS is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The savedraft AJAX path is weaker. A direct POST can create a dra...

7.1CVSS0.00211EPSS
Exploits0References3
cve
cve
added 2026/04/21 5:4 p.m.12 views

CVE-2026-41189

FreeScout prior to 1.8.215 is vulnerable: customer-thread editing bypasses the assigned-only visibility due to ThreadPolicy::edit() not enforcing ConversationPolicy restrictions, allowing a user who cannot view a conversation to load and edit hidden customer-authored threads. The issue is address...

7.1CVSS5.8AI score0.00223EPSS
Exploits0References3
osv
osv
added 2026/04/07 4:5 p.m.4 views

CVE-2026-39384 FreeScout Customer Merge Cross-Mailbox Authorization Bypass

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limitusercustomervisibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212...

7.6CVSS6AI score0.00235EPSS
Exploits1References4
redhatcve
redhatcve
added 2026/04/01 11:0 p.m.7 views

CVE-2026-32143

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could...

6.5CVSS5.8AI score0.00234EPSS
Exploits0References1
nvd
nvd
added 2026/03/31 6:16 p.m.6 views

CVE-2026-32143

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could...

6.5CVSS0.00234EPSS
Exploits0References2
euvd
euvd
added 2026/03/31 5:39 p.m.5 views

EUVD-2026-17548

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, moderators could export CSV data for admin-restricted reports, bypassing the report visibility restrictions. This could...

5.3CVSS5.8AI score0.00234EPSS
Exploits0References2
Rows per page
Query Builder