CVE-2026-8828

CVE-2026-8828 describes a lack of authorization validation in ChromaDB Rust (version 1.0.0 and later) that allows any authenticated user to arbitrarily read, write, update, or delete data in any tenant’s collection, regardless of tenant ownership. The core issue is insufficient access control in ...

CVE-2026-8828

A lack of authorization validation in version 1.0.0 or later of the ChromaDB Rust project allows any authenticated users to arbitrarily read, write, update, or delete data in any tenant's collection regardless of which tenant they belong to...

CVE-2026-44975

CVE-2026-44975 (Frappe) : The vulnerability affects the Frappe full‑stack web framework prior to versions 15.107.2 and 16.17.4. An authenticated user can reset onboarding for all users due to missing authorization on the reset form tours. This exposes potential impact on user onboarding state, wi...

CVE-2026-53469 Migration-planner: unprotected delete endpoint wipes all tenant data

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

CVE-2026-53469 Migration-planner: unprotected delete endpoint wipes all tenant data

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

Security update for python-Django

This update for python-Django fixes the following issues CVE-2026-6873: signed cookie salt namespace collision in django.http.HttpRequest.getsignedcookie bsc1267578. CVE-2026-7666: potential unencrypted email transmission via STARTTLS in the SMTP backend bsc1267579. CVE-2026-8404: potential...

SUSE-SU-2026:2318-1 Security update for python-Django

This update for python-Django fixes the following issues - CVE-2026-6873: signed cookie salt namespace collision in django.http.HttpRequest.getsignedcookie bsc1267578. - CVE-2026-7666: potential unencrypted email transmission via STARTTLS in the SMTP backend bsc1267579. - CVE-2026-8404: potential...

CVE-2026-47343 TYPO3 CMS - Destructive Actions on File Mount Folders

Non-privileged backend users with file mount access were able to perform write operations move, delete, rename on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0...

CVE-2026-44750 Missing Authorization check in SAP MDG (Review Match Groups Application)

SAP MDG Review Match Groups Application does not perform the necessary authorization checks for authenticated users. This could allow a low-privileged user to perform actions that would otherwise be restricted, resulting in escalation of privileges. This has a low impact on integrity, while...

CVE-2026-10787

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server 2026.1.20.0 and earlier...

EUVD-2026-35183

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server 2026.1.20.0 and earlier...

CVE-2026-46442 Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, allowing any authenticated user or API key to submit arbitrary JavaScript to the Custom JS Function node. When...

CVE-2026-27679

Due to missing authorization checks in the SAP S/4HANA frontend OData Service Manage Reference Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and...

CVE-2026-24590

Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23...

CVE-2026-34184

Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in...

CVE-2026-44316

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler HandleCreateSmPolicyRequest panics with a nil-pointer dereference when a downstream OpenAPI consumer call UDR lookup returns 404 Not Found and the...

EUVD-2026-34827

The Comment API GET /api/Comment and POST /api/Comment in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference IDOR vulnerability allows any authenticated...

CVE-2026-49203

Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted...

CVE-2026-49203 Unauthenticated eSIM Configuration Manipulation

Crucial management API endpoints for cellular eSIM allocation do not validate caller authorization, allowing remote profiles to be rewritten or deleted...

CVE-2026-10737

The SP Project & Document Manager plugin for WordPress is affected up to version 4.71 by an access control flaw in view_file that allows unauthenticated attackers to read file metadata and obtain download links for files stored in project folders. The authorization gate uses a negated nonce check...