84 matches found
CVE-2026-62393
Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kylin. Improper authorization in job information retrieval, where an attacker may get access to unauthorized jobs in other projects. This issue affects Apache Kylin: from 4 through 5.0.3. Users are recommended to...
CVE-2026-62393 Apache Kylin: Improper authorization in job information retrieval
Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kylin. Improper authorization in job information retrieval, where an attacker may get access to unauthorized jobs in other projects. This issue affects Apache Kylin: from 4 through 5.0.3. Users are recommended to...
CVE-2026-62393
Apache Kylin CVE-2026-62393 involves improper authorization in job information retrieval, enabling access to unauthorized jobs across projects for versions 4–5.0.3. Root cause: insufficient permission checks during job info requests. Impact: potential exposure of job data across projects; CVSSv3....
CVE-2026-62393 Apache Kylin: Improper authorization in job information retrieval
Improper Handling of Insufficient Permissions or Privileges vulnerability in Apache Kylin. Improper authorization in job information retrieval, where an attacker may get access to unauthorized jobs in other projects. This issue affects Apache Kylin: from 4 through 5.0.3. Users are recommended to...
CVE-2026-56765
Summary (CVE-2026-56765): Vikunja prior to 2.2.1 contains two related authorization flaws. First, the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. Second, the GetTaskAttachment endpoint performs permission check...
CVE-2026-44918
OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization...
CVE-2026-44918
OpenStack Ironic through before 37.0.1 allows creation or modification of nodes cross-project without authorization...
CVE-2026-59253
n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical...
EUVD-2026-42268
n8n before 2.28.0 contains an improper authorization vulnerability allowing authenticated users to assign workflows to folders in other projects. Attackers can bypass project and folder authorization boundaries by supplying crafted request payloads during workflow creation, causing logical...
CVE-2026-52782
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/projectstorages/ via PATCH parameter "storagesprojectstorageprojectfolderid" leads to Access to Unauthorized Resources. A project-admin in one project can...
CVE-2026-44732
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are...
PT-2026-52913
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description An Insecure Direct Object Reference IDOR exists in the project storage settings. A project administrator can gain unauthorized access to the managed Nextclou...
PT-2026-48927
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The get versioned path method in kedro/io/core.py directly interpolates user-supplied version strings into filesystem paths without sanitization. This enables an attacker to...
Missing Authorization
Overview bugsink is a Self-hosted Error Tracking Affected versions of this package are vulnerable to Missing Authorization in the lookup process for sourcemaps and debug files, which was not properly scoped to the owning project. An attacker can access source context or symbolication-derived...
EUVD-2026-31860
Bugsink: Project scoping missing in sourcemap and debug-file lookup...
EUVD-2026-31862
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known...
GHSA-G5VC-Q7QC-V939 Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
Description Bugsink’s issue list supports bulk actions such as resolving or muting selected issues. In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to...
EUVD-2026-31861
Bugsink: Issue event views can show an event from another project if its UUID is known...
CVE-2026-40896
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manageagendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...
CVE-2026-40904
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes multiple dataset and dataRequest endpoints that authorize low-privileged project members at the team level instead of binding the...