GHSA-5PGF-H923-M958 Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

Summary An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. Details Root cause: - Anonymous...

GHSA-VG28-83RP-8XX4 Frigte has broken access control viewer user can delete admin and other users account

Summary Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity. Details Endpoint DELETE /api/users/admin is enable to anonymous user. PoC I deleted admin user on demo.frigate.video: Impact It this leads to denial of servi...

PT-2026-26098

Summary Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity. Details Endpoint DELETE /api/users/admin is enable to anonymous user. PoC I deleted admin user on demo.frigate.video: Impact It this leads to denial of servi...

Umbraco CMS disclosure of configured password requirements

Impact Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via an anonymously accessible endpoint that reveals details about configured password requirements. An attacker can gain insight into password policy information...

Umbraco 安全漏洞

Umbraco is an open source content management system CMS written in C from Umbraco, Denmark. A security vulnerability exists in Umbraco versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1, which stems from configured password requirement information that can be retrieved via an anonymous...

Progress Software Telerik Report Server 资源管理错误漏洞

Progress Software Telerik Report Server is an enterprise-class report management and distribution solution from Progress Software, Inc. A resource management error vulnerability exists in versions prior to Progress Software Telerik Report Server 2024 Q3 10.2.24.806, which originates from an HTTP...