9 matches found
CVE-2026-32230
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query...
CVE-2026-32230
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query...
CVE-2026-32230 Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query...
CVE-2026-32230
Uptime Kuma (2.0.0–2.1.3) contains a missing authorization check on the GET /api/badge/:id/ping/:duration? endpoint. The ping badge endpoint does not verify that the target monitor belongs to a public group, unlike other badge endpoints that enforce public = 1 in SQL queries. This allows unauthen...
CVE-2026-32230 Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query...
CVE-2026-32230
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query...
Uptime Kuma is Missing Authorization Checks on Ping Badge Endpoint, Leaks Ping times of monitors without needing to be on a status page
Summary The GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely,...
PT-2025-39348
Name of the Vulnerable Software and Affected Versions Flag Forge versions prior to 2.2.0 Description The /api/admin/assign-badge endpoint in Flag Forge does not have sufficient access controls. This allows any authenticated user to assign high-privilege badges, such as Staff, to themselves. This...
Flag Forge 安全漏洞
Flag Forge is an easy-to-use CTF platform open-sourced by FlagForge. A security vulnerability exists in Flag Forge version 2.1.0, which stems from a lack of proper access control in the /api/admin/assign-badge endpoint, which could lead to elevation of privilege and administrator role impersonati...