PT-2026-40333

Name of the Vulnerable Software and Affected Versions Shelf versions 1.12 through 1.20.0 Description An issue in the '/assets' route allows authenticated users of any role to execute arbitrary SQL commands and access data from any database table, including information from other organizations. Th...

CVE-2026-41572 Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/id, /api/notes/id/content, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note I...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the asset download process. An attacker can access the full contents of private note assets by sending unauthenticated requests to the /api/notes/noteID/assets/assetID endpoint when valid note and asset IDs are...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the assets/image-editor endpoint. An attacker can access private editor metadata, including focalPoint, for assets they are not authorized to view by supplying the I...

CVE-2021-21269

Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust join method without checking user input might have made it abe to do a Path Traversal attack causing to read more...

PT-2024-36455 · Unknown · Kashipara E-Learning Management System

Name of the Vulnerable Software and Affected Versions: Kashipara E-Learning Management System version 1.0 Description: A Directory Listing issue allows remote attackers to access sensitive files and directories via the "/admin/assets" API endpoint. This issue enables unauthorized access to...

PT-2023-23677 · Ghost · Ghost

Name of the Vulnerable Software and Affected Versions: Ghost versions prior to 5.42.1 Description: The issue allows remote attackers to read arbitrary files within the active theme's folder via directory traversal using the /assets/built%2F..%2F..%2F/ endpoint. This occurs in the...

CVE-2022-36031 Unhandled exception on illegal filename_disk value

Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the filenamedisk value to a folder and accessing that file through the /assets endpoint. This vulnerability has been patched and release v9.15....

PT-2022-23129 · Directus · Directus

Name of the Vulnerable Software and Affected Versions: Directus versions prior to 9.15.0 Description: The Directus process can be aborted by having an authorized user update the filename disk value to a folder and accessing that file through the "/assets" endpoint. This issue has been patched and...

CVE-2021-21269

Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust join method without checking user input might have made it abe to do a Path Traversal attack causing to read more...