24 matches found
CVE-2026-49858 API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate
API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions from 2.6.0 prior to 4.1.29, 4.2.26, and 4.3.12, a missing isCacheKeySafe gate in the JSON:API and HAL item normalizers causes a cross-user attribute leak. ApiPropertysecurity: ... is evaluated per request...
CVE-2026-49858
API Platform Core contains a cross-user attribute leak in JSON:API and HAL item normalizers due to a missing isCacheKeySafe gate. Affected versions: 2.6.0 up to 4.1.28, 4.2.25, and 4.3.11 (i.e., before 4.1.29, 4.2.26, 4.3.12). Root cause: componentsCache arrays are keyed on $context['cache_key'] ...
CVE-2021-0979
In isRequestPinItemSupported of ShortcutService.java, there is a possible cross-user leak of packages in which the default launcher supports requests to create pinned shortcuts due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges...
EUVD-2025-201741
In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48628
In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
ASB-A-376462130
In validateIconUserBoundary of PrintManagerService.java, there is a possible cross-user image leak due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
PT-2025-43501
Name of the Vulnerable Software and Affected Versions Android affected versions not specified Description A flaw exists in the Framework component of Android operating systems related to insufficient protection of sensitive data. Exploitation may allow an attacker to disclose protected informatio...
EUVD-2025-27042
Malicious code in bioql PyPI...
EUVD-2021-3598
Malicious code in bioql PyPI...
CVE-2025-48529
In setRingtoneUri of VoicemailNotificationSettingsUtil.java , there is a possible cross user data leak due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-26453
In isContentUriForOtherUser of BluetoothOppSendFileInfo.java, there is a possible cross user data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-48529
The CVE-2025-48529 issue affects VoicemailNotificationSettingsUtil.java, specifically the setRingtoneUri function, causing a cross-user data leak (confused deputy) that can disclose local information without extra privileges. Exploitation requires no user interaction and is local. The connected d...
CVE-2025-26424
In multiple functions of VpnManager.java, there is a possible cross-user data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-26453
In isContentUriForOtherUser of BluetoothOppSendFileInfo.java, there is a possible cross user data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-26453
In isContentUriForOtherUser of BluetoothOppSendFileInfo.java, there is a possible cross user data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-26453
CVE-2025-26453 concerns a cross-user information disclosure in Android Bluetooth code (BluetoothOppSendFileInfo.java) due to a logic error in isContentUriForOtherUser. The issue enables local information disclosure with no extra execution privileges and does not require user interaction. The prim...
CVE-2025-26424
In multiple functions of VpnManager.java, there is a possible cross-user data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2025-26424
In multiple functions of VpnManager.java, there is a possible cross-user data leak due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
PT-2025-36009
Name of the Vulnerable Software and Affected Versions: VpnManager.java affected versions not specified Description: Multiple functions within VpnManager.java contain a logic error that may result in cross-user data leakage, potentially leading to local information disclosure. Exploitation does no...
PT-2025-36023
Name of the Vulnerable Software and Affected Versions: BluetoothOppSendFileInfo.java affected versions not specified Description: A logic error exists in the isContentUriForOtherUser function within BluetoothOppSendFileInfo.java, potentially leading to a cross-user data leak. This issue could...