Lucene search
K

18 matches found

CVE
CVE
added 4 days ago7 views

CVE-2026-27883

Coolify vulnerability CVE-2026-27883 is an intra-organization information disclosure (IDOR) affecting deployments details via GET /api/v1/deployments/{uuid}. Before 4.0.0-beta.464, an authenticated user could access deployment data for any team because the token-provided teamId was not used to sc...

5CVSS5.8AI score0.00213EPSS
Exploits0References1
NVD
NVD
added 5 days ago6 views

CVE-2026-34592

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying...

7.7CVSS0.00201EPSS
Exploits0References1
CVE
CVE
added 5 days ago6 views

CVE-2026-34592

CVE-2026-34592 (Coolify) affects the Coolify server and project lookup functionality. Before 4.0.0-beta.471, lookups were not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying IDs directly. This constitutes an unauthe...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-53749

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Server and project lookups are not scoped to the current team, which allows any...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/19 7:17 p.m.15 views

EUVD-2026-30974

In the AWS Secrets Manager and SSM Parameter Store secrets backends of apache-airflow-providers-amazon prior to 9.28.0, the team-scoping logic could resolve a connid containing a / e.g. "myteam/conn" to the same path as another team's team-scoped secret when the caller had no team context. A...

5.3CVSS5.8AI score0.00413EPSS
Exploits0References2
CVE
CVE
added 2026/05/19 7:17 p.m.24 views

CVE-2026-42526

The CVE-2026-42526 vulnerability affects apache-airflow-providers-amazon backends for AWS Secrets Manager and SSM Parameter Store prior to 9.28.0. The team-scoping logic could resolve a conn_id containing a slash (for example a_team/conn) to the same path as another team’s secret when the caller ...

5.3CVSS5.8AI score0.00413EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 6:28 p.m.8 views

Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation

Summary Any ROLETEAMLEAD user can enumerate, read, modify, and permanently delete timesheets belonging to any other user in the system — regardless of team membership. This enables data destruction deleted billable hours, data tampering forged timesheet durations, and full authorization bypass on...

5.9AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/06 6:28 p.m.7 views

GHSA-9G2Q-W3W2-VF7Q Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation

Summary Any ROLETEAMLEAD user can enumerate, read, modify, and permanently delete timesheets belonging to any other user in the system — regardless of team membership. This enables data destruction deleted billable hours, data tampering forged timesheet durations, and full authorization bypass on...

7.1CVSS5.9AI score
Exploits0References2
OSV
OSV
added 2026/03/16 3:30 p.m.4 views

GHSA-XPVF-6QCC-9JQC Mattermost fails to validate team-specific upload_file permissions

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...

4.3CVSS5.8AI score0.00218EPSS
Exploits0References4
NVD
NVD
added 2026/03/16 2:20 p.m.6 views

CVE-2026-4265

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to validate team-specific uploadfile permissions which allows a guest user to post files in channels where they lack uploadfile permission via uploading files in a team where they have permission and reusing the file...

4.3CVSS0.00218EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2025/11/20 12:0 a.m.4 views

Mattermost Server 10.5.x < 10.5.12 / 10.11.x 10.11.4 / 11.0.0 Missing Authorization (MMSA-2025-00518)

The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2025-00518 advisory. - Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows...

4.3CVSS7.3AI score0.00162EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/11/14 6:2 p.m.6 views

CVE-2025-11777

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...

4.3CVSS6.7AI score0.00162EPSS
Exploits0References1
EUVD
EUVD
added 2025/11/13 6:31 p.m.5 views

EUVD-2025-175343

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...

3.1CVSS6.1AI score0.00162EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2025/11/13 6:31 p.m.9 views

Mattermost Incorrect Authorization vulnerability

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...

4.3CVSS6.7AI score0.00162EPSS
Exploits0References6Affected Software5
OSV
OSV
added 2025/11/13 6:31 p.m.5 views

GHSA-MQCJ-8C2G-H97Q Mattermost Incorrect Authorization vulnerability

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API, which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...

3.1CVSS6.6AI score0.00162EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2025/11/13 5:32 p.m.4 views

CVE-2025-11777 Cross-team channel membership access

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...

3.1CVSS6.2AI score0.00162EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/11/13 5:32 p.m.9 views

CVE-2025-11777 Cross-team channel membership access

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to properly validate team membership permissions in the Add Channel Member API which allows users from one team to access user metadata and channel membership information from other teams via the API endpoint...

3.1CVSS0.00162EPSS
Exploits0References1
CVE
CVE
added 2025/11/13 5:32 p.m.15 views

CVE-2025-11777

Affected products/versions: Mattermost Server 10.5.x (&lt;= 10.5.11) and 10.11.x (

4.3CVSS6.2AI score0.00162EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder