GHSA-CGX8-QGVR-F7VF mem0 server lacks authentication and authorization controls for its memory creation API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

mem0 server lacks authentication and authorization controls for its memory creation API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

mem0 server lacks authentication and authorization controls for its memory deletion API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

mem0 server lacks authentication and authorization controls for its memory management API endpoints

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

EUVD-2026-29408

The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the savesettings function, which is registered on the adminpostcccf7savesettings...

BIT-ARGO-WORKFLOWS-2026-42297 Argo Workflows Is Missing Authorization in Sync ConfigMap Provider

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider server/sync/synccm.go performs zero authorization checks on all CRUD operations create, read,...

EUVD-2026-29362

Due to missing authorization check in SAP Strategic Enterprise Management Scorecard Wizard in Business Server Pages, an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and...

PT-2026-40107

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : Devolutions Server...

PT-2026-40322

The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...

PT-2026-40127

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memory id are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

GHSA-PW5X-2MF9-3XC8 MantisBT has a Private Bugnote Attachment Content Leak via REST API

A missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint GET /api/rest/issues/id/files and SOAP API mcissueattachmentget endpoint. Impact -...

Meari IoT Cloud MQTT Broker EMQX 安全漏洞

Meari IoT Cloud MQTT Broker EMQX is a high-performance IoT messaging proxy service based on the MQTT protocol provided by Meari Corporation. A security vulnerability exists in the Meari IoT Cloud MQTT Broker EMQX 4.x version. This vulnerability stems from the lack of authorization for device-leve...

CVE-2026-42297 Argo Workflows Is Missing Authorization in Sync ConfigMap Provider

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider server/sync/synccm.go performs zero authorization checks on all CRUD operations create, read,...

CVE-2026-42297 Argo Workflows Is Missing Authorization in Sync ConfigMap Provider

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provider server/sync/synccm.go performs zero authorization checks on all CRUD operations create, read,...

EUVD-2026-28879

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILLCLIENT admin command. All users with access to the administration console which itself requires authorization could run this command. It would have been correct to allow only users listed in the adminusers...

CVE-2026-6667

PgBouncer (pre-1.25.2) contains an authorization flaw in the KILL_CLIENT admin command: any user with access to the administration console could execute the command, instead of restricting it to admins listed in admin_users. This could allow unauthorized clients to be killed. Remediation: upgrade...

CVE-2026-6667

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILLCLIENT admin command. All users with access to the administration console which itself requires authorization could run this command. It would have been correct to allow only users listed in the adminusers...

CVE-2026-6667

PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILLCLIENT admin command. All users with access to the administration console which itself requires authorization could run this command. It would have been correct to allow only users listed in the adminusers...

GHSA-WQFH-GQ79-J8MF free5GC's NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path

Summary free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token e.g. Authorization: Bearer not-a-real-token is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business...

CVE-2026-8077 Weak credentials vulnerability in the CashDro 3 web administration panel

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escala...