Lucene search
K

7 matches found

CVE
CVE
added 2026/06/25 6:10 p.m.16 views

CVE-2026-56774

What is affected: Kanboard up to version 1.2.52. Root cause: UserViewController::removeSession does not validate the session id before calling RememberMeSessionModel::remove. Impact: Authenticated users can enumerate sequential session IDs to mass-invalidate persistent login sessions (including a...

5.4CVSS5.9AI score0.00266EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/25 5:40 p.m.32 views

CVE-2026-54097 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link...

7.2CVSS0.00411EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/25 3:51 p.m.6 views

CVE-2026-54029 LibreChat: IDOR in Message Deletion — Incomplete Fix for CVE-2024-41703 Leaves deleteMessages() Without User Filter

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any other user's messages. The validateMessageReq middleware only validates that the conversationId...

5.3CVSS5.8AI score0.00353EPSS
Exploits2References1
OSV
OSV
added 2026/06/12 9:0 p.m.14 views

GHSA-5WW9-JG6Q-38R7 File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

Summary A low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose...

7.2CVSS5.5AI score0.00411EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/20 11:3 p.m.6 views

EUVD-2026-23984

Dify is an open-source LLM app development platform. Prior to 1.13.1, the method DELETE /console/api/installed-apps//conversations/ has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue...

5.3CVSS5.7AI score0.00188EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/13 6:56 p.m.5 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the file replace API. An attacker can delete files belonging to other users by abusing insufficient authorization checks on the deleteNewFile flag. Note: This is only exploitable if the attacker has permission...

6.6CVSS5.8AI score0.00179EPSS
Exploits0References2
OSV
OSV
added 2026/01/20 5:14 p.m.8 views

GHSA-J7XP-4MG9-X28R Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion

Summary knowledgeBase.removeFilesFromKnowledgeBase tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. Details userId filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the...

3.7CVSS5.7AI score0.00194EPSS
Exploits0References4
Rows per page
Query Builder