CVE-2026-33680

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...

CVE-2026-24448

Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access...

CVE-2026-31848

Nexxt Solutions Nebula 300+ firmware through version 12.01.01.37 uses the ecospw cookie for authentication, which contains Base64-encoded credential data combined with a static suffix. Because the encoding is reversible and lacks integrity protection, an attacker can reconstruct or forge a valid...

CVE-2026-33222

A flaw was found in NATS-Server, a high-performance messaging system. This vulnerability allows users with JetStream admin API access to restore data from one stream to unintended stream names. This can lead to unauthorized modification or overwriting of data that should have been protected,...

EUVD-2026-14927

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion...

GHSA-F95F-77JX-FCJC Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

Summary The DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target...

Directory Traversal

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Directory Traversal in the pluginRunDatabaseScript.json.php endpoint. An administrator can execute arbitrary SQL commands and disclose sensitive file contents by...

AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

Summary The objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName without any path traversal sanitization. This allows an authenticated admin or an attacker via CSRF to traverse outside the plugin directory and execute the...

SUSE CVE-2026-30869

SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By exploiting double-encoded traversal sequences, an attacker can access sensitive files such as...

GHSA-P8MM-644P-PHMH PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution

Summary PinchTab v0.8.4 contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell -Command string using a needle derived from the profile path. In v0.8.4, that string interpolation escapes...

CVE-2026-33539

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name...

CVE-2026-33700

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...

CVE-2026-33700 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...

CVE-2026-33700

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares...

CVE-2026-33700

Summary: Vikunja before 2.2.1 had an IDOR on link share deletion. The vulnerable endpoint is DELETE /api/v1/projects/:project/shares/:share, which did not verify that the link share belongs to the project in the URL. An admin of any project could delete link shares from other projects by supplyin...

CVE-2026-33680

Vikunja before version 2.2.2 is affected: the LinkSharing.ReadAll() API lets link-share users list all shares for a project, exposing secret hashes. Although LinkSharing.CanRead() blocks reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never calling CanRead(), ...

CVE-2026-33680 Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from readi...

PT-2026-27617

Name of the Vulnerable Software and Affected Versions NATS-Server versions prior to 2.11.15 NATS-Server versions prior to 2.12.6 Description NATS-Server, a high-performance server for NATS.io, contains an issue where users with JetStream admin API access to restore one stream could restore to oth...

PT-2026-27454

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. A flaw exists where the DELETE /api/v1/projects/:project/shares/:share endpoint does not confirm that the link share belongs to the project specifie...

CVE-2026-23882 Blinko: Admin RCE - MCP Server Command Injection

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, the MCP Model Context Protocol server creation function allows specifying arbitrary commands and arguments, which are executed when testing the connection. This issue has been patched in version 1.8.4...