Apache Superset Security Bypass Vulnerability (CNVD-2026-13252)

Apache Superset is a data visualization and data exploration platform from the Apache USA Foundation. A security bypass vulnerability exists in Apache Superset, which can be exploited by an attacker to bypass data access controls...

MBS多款产品 安全漏洞

MBS UBR-01 Mk II, etc., are products of the German MBS company. The MBS UBR-01 Mk II is a remote base station device. The MBS UBR-02 is also a remote base station device. The MBS UBR-LON is a communication interface device for industrial automation systems. Several MBS products have security...

CVE-2026-28724

Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 Linux, Windows before build 41186...

PT-2026-24089

Name of the Vulnerable Software and Affected Versions PowerSync versions prior to 1.20.1 Description The PowerSync Service, a server-side component of the PowerSync sync engine, had an issue in version 1.20.0 where subquery filters were ignored when determining data synchronization for users with...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the tenant management handlers in the /api/v1/tenants routes. An attacker can read, modify, or delete any tenant, including transferring ownership or destroying tenants, by calling GET, PUT, or DELETE on...

CVE-2026-30229

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary...

CVE-2026-28785

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the...

EUVD-2026-9995

Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symbol validation, an attacker can execute arbitrary SQL commands via the getHistorical method, potentially allowing them to read, modify, or delete sensitive financial data for all users in the...

CVE-2026-28724

Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 Linux, Windows before build 41186...

Acronis Cyber Protect 安全漏洞

Acronis Cyber Protect is an enterprise-oriented network protection solution developed by the Swiss company Acronis. It combines features such as backup, anti-malware, network security, and endpoint management—including vulnerability assessment, URL filtering, patch management, etc. Versions of...

Ghostfolio SQL注入漏洞

Ghostfolio is an open-source personal wealth management software developed by Ghostfolio. Versions of Ghostfolio prior to 2.244.0 contained a SQL injection vulnerability. This vulnerability stemmed from bypassing symbol validation, which could allow arbitrary SQL commands to be executed through t...

PT-2026-23638

Name of the Vulnerable Software and Affected Versions Chartbrew versions prior to 4.8.3 Description Chartbrew is a web application that connects to databases and APIs to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against...

CVE-2026-28724

Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 Linux, Windows before build 41186...

CVE-2026-28724

Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 Linux, Windows before build 41186...

CVE-2026-28724

Unauthorized data access due to insufficient access control validation. The following products are affected: Acronis Cyber Protect 17 Linux, Windows before build 41186...

GHSA-C36C-7PC2-F2PH Gokapi has Data Leak in Upload Status Stream

Description The upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting user. Impact Any authenticated user can observe other users' file identifiers and retrieve unauthorized...

EUVD-2026-9833

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution', Use of Password Hash With Insufficient Computational Effort vulnerability in rustdesk-client RustDesk Client rustdesk, hbbcommon on Windows, MacOS, Linux Password security module, config encryption, machine U...

CVE-2025-13734

IBM Engineering Requirements Management DOORS Next 7.1, and 7.2 could allow an authenticated user to view and edit data beyond their authorized access permissions...

Microsoft Payment Orchestrator Service 访问控制错误漏洞

Microsoft Payment Orchestrator Service is a Microsoft feature that provides cloud-native payment process automation and orchestration for the financial services industry. An Access Control Error vulnerability exists in Microsoft Payment Orchestrator Service, which stems from improper authenticati...

PT-2026-23598

Name of the Vulnerable Software and Affected Versions Acronis Cyber Protect versions prior to build 41186 Description The software suffers from insufficient access control validation, leading to unauthorized data access. Recommendations Update Acronis Cyber Protect to build 41186 or later...