EUVD-2026-10703

OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated unlike the verify endpoint. This affects the...

CVE-2026-30959

The Connected documents reveal a vulnerability in OneUptime: the POST endpoint /api/user-whats-app/resend-verification-code allows any authenticated user to trigger a verification code resend for any UserWhatsApp item by ID, without validating ownership. The code-path for ownership verification e...

CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

CVE-2026-30945

CVE-2026-30945 : StudioCMS prior to 0.4.0 exposes an authorization flaw in DELETE /studiocms_api/dashboard/api-tokens. Any authenticated user with editor privileges or above can revoke API tokens for any user (including admin/owner) because tokenID and userID are taken directly from the request w...

CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...

CVE-2026-30944

CVE-2026-30944 affects StudioCMS prior to 0.4.0. The vulnerability resides in the /studiocms_api/dashboard/api-tokens endpoint, where any authenticated user (at least Editor) can generate API tokens for any target user, bypassing authorization checks to create tokens on behalf of others. This lea...

CVE-2026-30944 StudioCMS Affected by Privilege Escalation via Insecure API Token Generation

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to...

CVE-2026-30942

Flare (Next.js-based, self-hosted file sharing) contains an authenticated path traversal in /api/avatars/[filename] prior to version 1.7.3. The filename is passed to path.join() without sanitization and getFileStream() performs no path validation, allowing %2F-encoded ../ sequences to escape uplo...

CVE-2026-30942 Flare has a Path Traversal in /api/avatars/[filename]

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/filename allows any logged-in user to read arbitrary files from within the application container. The filename URL...

CVE-2026-30928

CVE-2026-30928 affects Glances prior to 4.5.1, where the REST endpoint /api/4/config exposes the full glances.conf (including credentials) with no filtering. This can leak backend credentials (databases, API tokens, JWT keys, SSL passwords) to an attacker with API access. The issue is fixed in 4....

CVE-2026-30928 Glances Exposes Unauthenticated Configuration Secrets

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all...

EUVD-2026-10544

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...

CVE-2026-30933

CVE-2026-30933 (FileBrowser Quantum) affects FileBrowser Quantum prior to the fixed releases 1.3.1-beta and 1.2.2-stable. The issue relates to an incomplete remediation for CVE-2026-27611, where password-protected shares still disclose a tokenized downloadURL via /public/api/share/info. The Red H...

CVE-2026-30933 FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...

CVE-2026-30933 FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...

Exploit for CVE-2026-30741

Security Advisory: CVE-2026-30741 Product: OpenClaw Agent Pla...

CVE-2026-25679 vulnerabilities

Vulnerabilities for packages: opensearch-k8s-operator, flux-notification-controller, kaf, crossplane-provider-aws-lambda, clickhouse-operator, terraform-provider-google, cadvisor, nova, gitea, ksops, nri-rabbitmq, liquibase-package-manager, crossplane-provider-aws-elasticache,...

CVE-2026-27142 vulnerabilities

Vulnerabilities for packages: flux-notification-controller, temporal-server, kubernetes-event-exporter, sops, kaf, pulumi-language-dotnet, crossplane-provider-aws-lambda, cluster-autoscaler, cluster-api-azure-controller, opentelemetry-collector-contrib, rancher-webhook, terraform-provider-random,...

GHSA-J3GX-2473-5FP8 vulnerabilities

Vulnerabilities for packages: opensearch-k8s-operator, flux-notification-controller, kaf, crossplane-provider-aws-lambda, clickhouse-operator, terraform-provider-google, cadvisor, nova, gitea, ksops, nri-rabbitmq, liquibase-package-manager, crossplane-provider-aws-elasticache,...

GHSA-RV83-G57W-FR8J vulnerabilities

Vulnerabilities for packages: opensearch-k8s-operator, flux-notification-controller, renovate, kaf, crossplane-provider-aws-lambda, clickhouse-operator, terraform-provider-google, cadvisor, nova, gitea, ksops, nri-rabbitmq, liquibase-package-manager, crossplane-provider-aws-elasticache,...