70 matches found
CVE-2026-15191 mettle sendportal Campaign Creation Endpoint CampaignStoreRequest.php authorization
A flaw has been found in mettle sendportal up to 3.0.1. This vulnerability affects unknown code of the file vendor/mettle/sendportal-core/src/Http/Requests/CampaignStoreRequest.php of the component Campaign Creation Endpoint. Executing a manipulation can lead to authorization bypass. The attack c...
CVE-2026-2299
CVE-2026-2299 affects the Mattermost Google Drive plugin prior to version 1.1.0. The file creation endpoint does not validate channel membership, allowing authenticated users with a connected Google account to share Google Drive files into unauthorized private channels and disclose private channe...
CVE-2026-42867 Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API POST /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are used directly to create file paths without...
Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint
Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API POST /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw...
EUVD-2026-36552
A mass assignment vulnerability exists in MISP’s sharing group creation endpoint. When creating a new sharing group, the controller did not remove a user-supplied id field before saving the submitted data. In CakePHP, supplying a primary key in the save data can cause a create followed by save...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the create and store functions in ApiEntityListQuickCreationCommandController.php. A user can create or submit new records on the Quick Creation Command endpoint for any entity with Quick Creation Command...
CVE-2026-36341
Cross-Site Scripting XSS vulnerability exists in Webkul Krayin CRM v2.1.5. The application fails to sanitize user-supplied input in the comment field during Activity creation on the /admin/activities/create endpoint...
CVE-2026-6598
A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...
CVE-2026-34722
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4...
CVE-2026-31245
The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...
CVE-2026-31245
The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...
CVE-2026-31245
The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint POST /memories. The endpoint allows unauthenticated users to submit arbitrary memory records without verifying their identity or permissions. A remote attacker can exploit this by sending...
GHSA-9VVH-QMJX-P4Q8 Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining
Base Model Routing Bypasses Access Control via Model Chaining Affected Component Model chaining via basemodelid: - backend/openwebui/routers/models.py lines 170-214, createnewmodel - backend/openwebui/routers/models.py lines 254-308, importmodels - backend/openwebui/main.py lines 1696-1711, base...
CVE-2026-41649
Outline is a service that allows for collaborative documentation. The shares.create API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both collectionId and documentId are provided in the request, the authorization logic only checks...
PT-2026-34841
Name of the Vulnerable Software and Affected Versions Press affected versions not specified Description Press, a Frappe custom app used for managing infrastructure, subscriptions, marketplace, and software-as-a-service SaaS, contains a flaw in the 'press.api.account.create api secret' endpoint...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode deployment with default configuration. Remediation Upgrade...
Missing Authorization
Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode...
PT-2026-34745
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the...
CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file
A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...
CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file
A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function createproject/encryptauthsettings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument authsetting...