346 matches found
EUVD-2026-22873
Mattermost versions 10.11.x = 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API...
GHSA-MXXH-FMJQ-J6X4 Mattermost doesn't validate whether users were correctly owned by the correct Connected Workspace
Mattermost versions 10.11.x = 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the cleanupCommand field in the PATCH /api/execution-workspaces/:id endpoint, which is stored and later executed by the server without input validation or sanitization. An attacker can execute arbitrary system...
CVE-2026-27769
Mattermost versions 10.11.x = 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API...
CVE-2026-27769 Connected Workspaces: Malicious remote server can manipulate arbitrary user's status
Mattermost versions 10.11.x = 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API...
CVE-2026-27769
Mattermost CVE-2026-27769 affects Mattermost 10.11.x up to 10.11.12 where the Connected Workspaces feature does not validate that users are correctly owned by the target Connected Workspace. This allows a malicious remote server connected via the Connected Workspaces API to change the displayed s...
CVE-2026-27769
Mattermost versions 10.11.x = 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API...
CVE-2026-27769 Connected Workspaces: Malicious remote server can manipulate arbitrary user's status
Mattermost versions 10.11.x = 10.11.12 fail to validate whether users were correctly owned by the correct Connected Workspace which allows a malicious remote server connected using the Conntexted Workspaces feature to change the displayed status of local users via the Connected Workspaces API...
PT-2026-33036
Name of the Vulnerable Software and Affected Versions Mattermost versions 10.11.x through 10.11.12 Description Improper validation of user ownership within the Connected Workspaces feature allows a malicious remote server to change the displayed status of local users via the Connected Workspaces...
MAL-2026-2668 Malicious code in pnpm-workspaces (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 19d252b93a40f90995892530ecd34dc35e9ec7e5b741cb02416fd3dde3e082d8 The package pnpm-workspaces was found to contain malicious code. Source: ossf-package-analysis...
Malicious code in pnpm-workspaces (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 19d252b93a40f90995892530ecd34dc35e9ec7e5b741cb02416fd3dde3e082d8 The package pnpm-workspaces was found to contain malicious code. Source: ossf-package-analysis...
CVE-2026-35668 OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in...
CVE-2026-39355
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces...
[SECURITY] Fedora 42 Update: cmake-3.31.11-1.fc42
CMake is used to control the software compilation process using simple platform and compiler independent configuration files. CMake generates native makefiles and workspaces that can be used in the compiler environment of your choice. CMake is quite sophisticated: it is possible to support comple...
[SECURITY] Fedora 42 Update: uv-0.10.12-1.fc42
An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...
[SECURITY] Fedora 43 Update: uv-0.10.12-1.fc43
An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...
[SECURITY] Fedora 44 Update: uv-0.11.2-1.fc44
An extremely fast Python package and project manager, written in Rust. Highlights: =E2=80=A2 A single tool to replace pip, pip-tools, pipx, poetry, pyenv, twi ne, virtualenv, and more. =E2=80=A2 10-100x faster than pip. =E2=80=A2 Provides comprehensive project management, with a universal lockf...
CVE-2026-31879
Frappe is a full-stack web application framework. Prior to 14.100.2, 15.101.0, and 16.10.0, due to a lack of validation and improper permission checks, users could modify other user's private workspaces. Specially crafted requests could lead to stored XSS here. This vulnerability is fixed in...
CVE-2026-32005
OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including blockaction, viewsubmission, and viewclosed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue...
[SECURITY] Fedora 43 Update: cmake-3.31.11-1.fc43
CMake is used to control the software compilation process using simple platform and compiler independent configuration files. CMake generates native makefiles and workspaces that can be used in the compiler environment of your choice. CMake is quite sophisticated: it is possible to support comple...