CVE-2026-44718 Mathesar: Missing collaborator checks allowed access to saved explorations in other databases

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an explorationid without verifying that the requesting user was a collaborator on the...

PT-2026-41351

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete operate on an exploration id without verifying that the requesting user was a collaborator on the...

GO-2026-4846 Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports...

GHSA-7C2G-P23P-4JG3 Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Summary The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later...

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration we...

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

CVE-2026-33677

Vikunja (self-hosted task management) prior to version 2.2.1 exposes webhook BasicAuth credentials (basic_auth_user, basic_auth_password) via GET /api/v1/projects/:project/webhooks to any user with read access. The code already masks the HMAC secret, but the BasicAuth fields were not masked after...

EUVD-2021-0961

Malware in sbrugna...

EUVD-2025-12377

Malicious code in bioql PyPI...

CVE-2019-14544

routes/api/v1/api.go in Gogs 0.11.86 lacks permission checks for routes: deploy keys, collaborators, and hooks...

CVE-2024-12862

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4...

CVE-2024-12862

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4...

CVE-2024-12862 REST API allows users without permissions to remove external collaborators

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4...

CVE-2024-12862

CVE-2024-12862 describes an Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows and Linux, allowing users without proper permissions to remove external collaborators. Affected versions: Content Server 20.2–24.4. CVSS v4.0 base score 5.5 (Medium). No public exp...

CVE-2024-12862 REST API allows users without permissions to remove external collaborators

Incorrect Authorization vulnerability in the OpenText Content Server REST API on Windows, Linux allows users without the appropriate permissions to remove external collaborators.This issue affects Content Server: 20.2-24.4...

OpenText Content Server 安全漏洞

OpenText Content Server is an enterprise content management software from OpenText Canada. A security vulnerability exists in OpenText Content Server versions 20.2 through 24.4, which stems from improper authorization of the REST API and could result in an unprivileged user deleting external...

HackerOne: Hackers can Invite Collaborators Without 2FA on Programs Requiring 2FA

Vulnerability description not provided...

GitHub Enterprise Server Security Vulnerability

GitHub Enterprise Server is a U.S. GitHub open source application. Provides a platform for setting up your own GitHub instance as a virtual appliance, thus providing a scalable, easy-to-manage platform. A security vulnerability exists in GitHub Enterprise Server versions prior to 3.8.12, prior to...

CVE-2023-29045

Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborati...