Lucene search
K

8 matches found

Github Security Blog
Github Security Blog
added 2026/06/05 9:44 p.m.14 views

Bugsink: Project scoping missing in sourcemap and debug-file lookup

Summary Bugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for...

4.3CVSS5.1AI score0.00178EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/05 9:43 p.m.6 views

GHSA-VX2F-6M6H-9FRF Bugsink: Issue event views can show an event from another project if its UUID is known

Description Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view anoth...

3.1CVSS5.3AI score0.00154EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/26 4:16 p.m.8 views

CVE-2026-47728

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use...

4.3CVSS5.8AI score0.00178EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/26 4:16 p.m.20 views

CVE-2026-47728

Bugsink (self-hosted error tracking) prior to 2.2.0 stores and looks up sourcemaps and debug files by debug ID without scoping to the owning project. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for ano...

4.3CVSS5.8AI score0.00178EPSS
Exploits0References2
NVD
NVD
added 2026/05/07 4:16 a.m.53 views

CVE-2026-40981

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...

7.5CVSS0.00435EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/04 6:26 p.m.5 views

CVE-2026-42227 n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API...

6CVSS5.8AI score0.00203EPSS
Exploits0References1
CVE
CVE
added 2026/05/04 6:26 p.m.26 views

CVE-2026-42227

The CVE affects n8n (open source workflow automation) prior to versions 1.123.32, 2.17.4, and 2.18.1. An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying a projectId to the public API variables endpoint. The h...

6.5CVSS5.8AI score0.00203EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/24 3:35 p.m.2 views

CVE-2026-33676

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

6.5CVSS5.8AI score0.0033EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder