PT-2026-43276

Name of the Vulnerable Software and Affected Versions FastNetMon Community Edition versions prior to 1.2.10 Description The software exposes a gRPC API server on port 50052 that lacks an authentication mechanism. The server is initialized using grpc::InsecureServerCredentials, allowing any user...

Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels

Missing Access Check on Channel Members Endpoint for Standard Channels Affected Component Channel members listing endpoint: - backend/openwebui/routers/channels.py lines 445-507, getchannelmembersbyid Affected Versions Current main branch and likely all versions with the channels feature...

PT-2026-39276

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description The 'GET /api/v1/channels/id/members' endpoint fails to perform a channel has access check for standard channels, including private ones. While membership is verified for group and dm channel type...

BIT-MLFLOW-2026-33866 Authorization Bypass in MLflow AJAX Endpoint

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to...

EUVD-2026-19609

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to...

CVE-2026-33866 Authorization Bypass in MLflow AJAX Endpoint

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to...

CVE-2026-29189

The CVE-2026-29189 entry concerns SuiteCRM REST API V8 with missing ACL checks on multiple endpoints (user preferences and relationships), enabling authenticated users to access/manipulate data they should not. Affected versions before 7.15.1 and 8.9.3 are vulnerable; patches exist in 7.15.1 and ...

CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...

Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Impact Users were able to obtain add-on configuration via API. Patches https://github.com/WeblateOrg/weblate/pull/18107 https://github.com/WeblateOrg/weblate/pull/18164 References Weblate thanks @lighthousekeeper1212 for responsible disclosure...

CVE-2026-25924 Kanboard is Missing Access Control on Plugin Installation leading to Administrative RCE

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution RCE. Although the application correctly hides the plugin installation interface...

CVE-2026-21889

Weblate is a web based localization tool. Prior to 5.15.2, the screenshot images were served directly by the HTTP server without proper access control. This could allow an unauthenticated user to access screenshots after guessing their filename. This vulnerability is fixed in 5.15.2...

CVE-2025-65731

An issue was discovered in D-Link Router DIR-605L Hardware version F1; Firmware version: V6.02CN02 allowing an attacker with physical access to the UART pins to execute arbitrary commands due to presence of root terminal access on a serial interface without proper access control...

WordPress plugin CubeWP 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

Improper Authorization

trytond is vulnerable to Improper Authorization. The vulnerability is due to missing access control enforcement on the HTML editor route, which allows an attacker to access or modify content without proper permissions...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the snappy:Decoder function. An attacker can cause excessive memory consumption and potential out-of-memory errors by sending malformed blocks that bypass request size limits. This...

CVE-2025-34331

AudioCodes Fax Server and Auto-Attendant IVR appliances versions up to and including 2.6.23 contain an unauthenticated file read vulnerability via the download.php script. The endpoint exposes a file download mechanism that lacks access control, allowing remote, unauthenticated users to request...

CVE-2025-62651

The Restaurant Brands International RBI assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface...

CVE-2025-62651

The Restaurant Brands International RBI assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface...

EUVD-2024-43539

Malicious code in bioql PyPI...

EUVD-2024-40164

Malicious code in bioql PyPI...