CVE-2026-31821

CVE-2026-31821 affects Sylius (Open Source eCommerce framework on Symfony). The vulnerability is in the POST /api/v2/shop/orders/{tokenValue}/items endpoint, which does not verify cart ownership, allowing an unauthenticated attacker who knows a cart tokenValue to add items to another registered c...

CVE-2026-31800

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the GraphQLConfig and Audience internal classes can be read, modified, and deleted via the generic /classes/GraphQLConfig and /classes/Audience REST API rout...

CVE-2026-3582

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

CVE-2026-3582

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limi...

CVE-2026-30946

Parse Server is affected by a denial-of-service due to unbounded query complexity in REST and GraphQL APIs. Unauthenticated attackers can exhaust resources (CPU, memory, database connections) via crafted queries, affecting all deployments using REST/GraphQL prior to 9.5.2-alpha.2 and 8.6.15. The ...

CVE-2026-30946 Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources CPU, memory, database connections through crafted queries that exploit the lack of complexity limi...

CVE-2026-3582 Incorrect Authorization in GitHub Enterprise Server allows access to issue and commit search results without repo scope

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

CVE-2026-3582

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

EUVD-2026-10458

Due to a Missing Authorization Check in SAP Business Warehouse Service API, an authenticated attacker could perform unauthorized actions via an affected RFC function module. Successful exploitation could enable unauthorized configuration and control changes, potentially disrupting request...

GO-2026-4626 Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion in github.com/forceu/gokapi

Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

GO-2026-4589 Rancher cloud credentials can be used through proxy API by users without access in github.com/rancher/rancher

Rancher cloud credentials can be used through proxy API by users without access in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...

GO-2026-4575 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse in code.vikunja.io/api...

GO-2026-4565 Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations in github.com/bitnami-labs/sealed-secrets

Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations in github.com/bitnami-labs/sealed-secrets...

CVE-2026-30945

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

UBUNTU-CVE-2026-30928

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

EUVD-2026-10556

StudioCMS has Privilege Escalation via Insecure API Token Generation...

EUVD-2026-10555

StudioCMS has Privilege Escalation via Insecure API Token Generation...

Incorrect Authorization

Overview @withstudiocms/auth-kit is an Utilities for managing authentication Affected versions of this package are vulnerable to Incorrect Authorization through the api-tokens endpoint, which allows an authenticated user with editor privileges or higher to generate API tokens for any user by...