EUVD-2026-11234

In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover...

PT-2026-24738

In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover...

EUVD-2024-36877

Malicious code in bioql PyPI...

CVE-2025-32878

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end...

CVE-2025-32878

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end...

PT-2025-26314 · Coros · Coros Pace 3

Name of the Vulnerable Software and Affected Versions: COROS PACE 3 versions through 3.0808.0 Description: An issue was discovered that allows an attacker to eavesdrop and manipulate HTTPS communication. The device does not validate the X.509 server certificate within the TLS handshake, enabling ...

CVE-2025-32878

An issue was discovered on COROS PACE 3 devices through 3.0808.0. It implements a function to connect the watch to a WLAN. This function is mainly for downloading firmware files. Before downloading firmware files, the watch requests some information about the firmware via HTTPS from the back-end...

CVE-2025-29513

Cross-Site Scripting XSS vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator...

CVE-2025-29513

NodeBB has a stored XSS vulnerability in the admin API Access token generator affecting NodeBB v4.0.4 and earlier. The issue allows remote attackers to store arbitrary code. A fix is available in NodeBB 4.0.5 and later (update to 4.0.5+), per PT-2025-17334. Other sources corroborate NodeBB

CVE-2024-37905

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

CVE-2024-37905

The CVE-2024-37905 entry concerns the github.com/goauthentik/authentik project. Affected: authentic API-Access-Token mechanism that can be exploited to gain admin privileges, enabling full admin access and actions like resetting passwords. Root cause: improper access control/authorization related...

CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

CVE-2024-37905 Improper Access Control and Incorrect Authorization in github.com/goauthentik/authentik

authentik is an open-source Identity Provider that emphasizes flexibility and versatility. Authentik API-Access-Token mechanism can be exploited to gain admin user privileges. A successful exploit of the issue will result in a user gaining full admin access to the Authentik application, including...

PT-2024-27821

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2024.2.4 authentik versions prior to 2024.4.2 authentik versions prior to 2024.4.3 authentik versions prior to 2024.6.0 Description The authentik API-Access-Token mechanism can be exploited to gain admin user...

FreeBSD : Gitlab -- vulnerability (0a8ebf4a-5660-11eb-b4e2-001b217b3468)

SO-AND-SO reports : Ability to steal a user's API access token through GitLab Pages C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from the FreeBSD VuXML database : Copyright 2003-2021 Jacques Vidrine and contributors Redistribution and use ...

Gitlab -- multiple vulnerabilities

Gitlab reports: Ability to steal a user's API access token through GitLab Pages Prometheus denial of service via HTTP request with custom method Unauthorized user is able to access private repository information under specific conditions Regular expression denial of service in NuGet API Regular...

Exploit for Path Traversal in Gitlab

CVE-2020-10977.py authenticated arbitrary file read for Gitla...

CVE-2020-12432

The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtai...

Improper access control

The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtai...

CVE-2020-12432

Summary: CVE-2020-12432 affects Collabora CODE/WOPI integration used by Vereign Collabora CODE up to version 4.2.2. The vulnerability arises from improper restriction of JavaScript delivery to a user’s browser and weak MIME-type access control, enabling cross-site scripting that can steal credent...