GHSA-RJ4G-RQGH-RX9H Ech0 comment model's Email field returned on public /api/comments endpoints

Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields IPHash, UserAgent correctly use json:"-". The public endpoints GET /api/comments?echoid=X and GET...

CVE-2026-40870

The CVE affects the Decidim framework: root-level commentable in the API (under /api) lets unauthenticated users access all commentable resources, bypassing permission checks. Affected versions are 0.0.1 up to but not including 0.30.5 and 0.31.1. The issue is fixed in 0.30.5 and 0.31.1. Mitigatio...

CVE-2026-40870 Decidim's comments API allows access to all commentable resources

Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...

EUVD-2012-3430

Malware in sbrugna...

CVE-2012-3473

The 1 reports API and 2 administration feature in the comments API in the Ushahidi Platform before 2.5 do not require authentication, which allows remote attackers to generate reports and organize comments via API functions...

Information disclosure

The comments API in application/libraries/api/MYCommentsApiObject.php in the Ushahidi Platform before 2.5 allows remote attackers to obtain sensitive information about the e-mail address, IP address, and other attributes of the author of a comment via an API function call...

FreeBSD : drupal --- multiple vulnerabilities (9c00d446-8208-11dc-9283-0016179b2dd5)

The Drupal Project reports : In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of...