CVE-2026-45286

Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied t...

CVE-2026-45286 Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint

Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied t...

CVE-2026-45286 Nextcloud: Calendar app leaked user identifiers via attendee suggestion endpoint

Nextcloud is an open source content collaboration platform. From versions 5.5.13 to before 5.5.17, and 6.2.0 to before 6.2.3, an authenticated user can enumerate users on the same Nextcloud instance by using the Calendar app's endpoint for suggesting attendees. The sharing restrictions, applied t...

CVE-2026-45286

CVE-2026-45286 affects Nextcloud Open Source Content Collaboration Platform. An authenticated user could enumerate other users on the same instance by abusing the Calendar app’s endpoint for suggesting attendees; standard sharing restrictions did not apply to that endpoint. Impacted versions are ...

Calendar app leaked user identifiers via attendee suggestion endpoint

None...

PT-2026-23407

Name of the Vulnerable Software and Affected Versions HumHub Calendar module versions prior to 1.8.11 Description The Calendar module for HumHub allows users to create and manage events. A stored cross-site scripting XSS issue exists in the Event Types functionality of the Calendar module for...

CVE-2025-68112

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...

CVE-2025-68112

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...

EUVD-2025-203987

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...

PT-2025-51930

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3 Description ChurchCRM is an open-source church management system. A SQL injection flaw exists in the Event Attendee Editor. This allows authenticated users to execute arbitrary SQL commands, potentially leadin...

CVE-2025-13742

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...

Cross-site Scripting (XSS)

Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Cross-site Scripting XSS via the email template rendering logic. An attacker can cause arbitrary HTML content to be injected into outgoing emails by supplying specially crafted inpu...

CVE-2025-13742

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...

CVE-2025-13742

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...

PYSEC-2025-154

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...

CVE-2025-13742 Limited HTML injection in emails

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...

EUVD-2024-54049

Malicious code in bioql PyPI...

EUVD-2024-17077

Malicious code in bioql PyPI...

CVE-2024-1053

The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'email' action in all versions up to, and including, 5.8.1. This makes it possible for authenticated attackers, with contributor-level access and above, to...

CVE-2024-1319

The Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the attendees list on any post type regardless of status. e.g. draft, private, pending review, password-protected, and trashed posts...