GO-2026-4849 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api

Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

GO-2026-4848 Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...

GO-2026-4817 GoDoxy has a Path Traversal Vulnerability in its File API in github.com/yusing/godoxy

GoDoxy has a Path Traversal Vulnerability in its File API in github.com/yusing/godoxy...

GO-2026-4814 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check in github.com/QuantumNous/new-api

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check in github.com/QuantumNous/new-api...

GO-2026-4716 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API in github.com/siyuan-note/siyuan/kernel

SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API in github.com/siyuan-note/siyuan/kernel...

CVE-2026-33530

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...

CVE-2026-33528

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath =...

CVE-2026-21724

Grafana OSS vulnerability CVE-2026-21724: a flaw in the Provisioning Contact Points API allows users with Editor role to bypass authorization and modify protected webhook URLs without the alert.notifications.protected:write permission. Impact is limited to unauthorized changes to protected webhoo...

CVE-2026-33375

CVE-2026-33375 concerns the Grafana MSSQL Data Source Plugin, where a logic flaw lets a low-privileged user (Viewer) bypass API restrictions and cause an Out-Of-Memory (OOM) DoS, crashing the host container. The connected records confirm the affected component (Grafana MSSQL data source plugin) a...

CVE-2026-33375

The Grafana MSSQL data source plugin contains a logic flaw that allows a low-privileged user Viewer to bypass API restrictions and trigger a catastrophic Out-Of-Memory OOM memory exhaustion, crashing the host container...

CVE-2026-33530

The CVE affects InvenTree prior to version 1.2.6, where bulk data API endpoints (e.g., /api/part/, /api/stock/, /api/order/so/allocation/, etc.) accept a filters parameter that is passed directly to Django queryset.filter(**filters) without any field allowlisting. This allows an authenticated use...

CVE-2026-33530

InvenTree is an Open Source Inventory Management System. Prior to version 1.2.6, certain API endpoints associated with bulk data operations can be hijacked to exfiltrate sensitive information from the database. The bulk operation API endpoints e.g. /api/part/, /api/stock/,...

CVE-2026-33528 GoDoxy has a Path Traversal Vulnerability in its File API

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath =...

CVE-2026-33528

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath =...

CVE-2026-33528 GoDoxy has a Path Traversal Vulnerability in its File API

GoDoxy is a reverse proxy and container orchestrator for self-hosters. Prior to version 0.27.5, the file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath =...

CVE-2026-3190

A flaw was found in Keycloak. The User-Managed Access UMA 2.0 Protection API endpoint for permission tickets fails to enforce the umaprotection role check. This allows any authenticated user with a token issued for a resource server client, even without the umaprotection role, to enumerate all...

CVE-2026-33505

Ory Keto is am open source authorization server for managing permissions at scale. Prior to version 26.2.0, the GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in...

CVE-2026-33152

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

CVE-2026-3190

CVE-2026-3190 affects Keycloak via the UMA 2.0 Protection API endpoint for permission tickets, where the required uma_protection role check is not enforced. As a result, any authenticated user with a token issued for a resource server client can enumerate all permission tickets, leading to partia...

CVE-2026-3190

A flaw was found in Keycloak. The User-Managed Access UMA 2.0 Protection API endpoint for permission tickets fails to enforce the umaprotection role check. This allows any authenticated user with a token issued for a resource server client, even without the umaprotection role, to enumerate all...