CVE-2026-39322

PolarLearn (0-PRERELEASE-15 and earlier) is affected. The issue: POST /api/v1/auth/sign-in creates a valid session for banned accounts before password verification, and that session is accepted on authenticated /api routes, allowing account data access and authenticated actions as the banned user...

CVE-2026-39351

Summary (CVE-2026-39351) : The Red Hat, NVD, CIRCL, and related feeds describe a vulnerability in the Frappe framework where an API-based attack grants unrestricted access to Doctypes. Affected versions are listed as prior to 16.14.0 and 15.104.0 . The impact is described as the ability to access...

EUVD-2026-19861

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit...

CVE-2026-39351 Frappe allows unrestricted Doctype access via API exploit

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe allows unrestricted Doctype access via API exploit...

Missing Authorization

Overview openviking is an An Agent-native context database Affected versions of this package are vulnerable to Missing Authorization via the task polling. An attacker can access sensitive metadata belonging to other users by sending unauthenticated requests to the /api/v1/tasks and...

EUVD-2026-19651

Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature...

CVE-2026-39331 ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary Families

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the familyId parameter in requests, regardless of whether they possess the required EditRecords privilege...

CVE-2026-39331 ChurchCRM has an API Authorization Bypass Allows Authenticated User to Deactivate, Modify, and Spam Arbitrary Families

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the familyId parameter in requests, regardless of whether they possess the required EditRecords privilege...

CVE-2026-22683

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

CVE-2026-34981

The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.downloadfromurl in app/services/fileservice.py calls requests.geturl with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by...

CVE-2026-3524

Mattermost Plugin Legal Hold versions =1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID:...

CVE-2026-35037

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. Th...

CVE-2026-22683

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

CVE-2026-35606 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other...

CVE-2026-35606 File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the resourceGetHandler in http/resource.go returns full text file content without checking the Perm.Download permission flag. All three other...

CVE-2026-35606

CVE-2026-35606 (File Browser) : The resourceGetHandler in http/resource.go loads text content without enforcing Perm.Download, allowing a user with download: false to read any text file within their scope via bypass paths. The endpoints /api/raw, /api/preview, and /api/subtitle correctly check th...

Improper Certificate Validation

kubevirt.io/kubevirt is vulnerable to improper certificate validation. The vulnerability is due to flawed peer verification logic in virt-handler, which allows an attacker to exploit shared credentials from a compromised instance to impersonate virt-api and execute privileged operations on other...

arches (=8.0.0a1), desktop-django-starter (=0.1.0) +33 more potentially affected by CVE-2026-4277 via django (>=6.0.0 <=6.0.3)

django PYPI version =6.0.0, =2.0.0, =1.1.0, =0.1.0, =0.1.0b2, =0.2.0b1 and more Source cves: CVE-2026-4277 Source advisory: SNYK:PYTHON-DJANGO-15923568...

CVE-2026-35583

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint /api/configuration/name validated configuration names using a blacklist approach that checked for , /, .., and trailing .. This could potentially be bypassed using URL-encoded variants,...