EUVD-2026-21494

Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via improper authorization checks in the CanDoAPIRoute process. An attacker can delete project backgrounds by using an API token with only the projects.background permission, bypassing intended access controls fo...

Vikunja vulnerable to Privilege Escalation via Project Reparenting

Summary A user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project,...

PT-2026-31946

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description A permission escalation issue exists in Vikunja that allows a user with Write access to a project to escalate their permissions to Admin by moving the project under a project they own. This is due to...

CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization

Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...

CVE-2025-68938

A flaw was found in Gitea. An incorrect authorization allows an authenticated user with minimal privileges to delete project releases, causing a loss of availability of project assets and distribution history. Mitigation Mitigation for this issue is either not available or the currently available...

📄 WordPress KKProgressbar2 1.1.4.2 Cross Site Request Forgery

WordPress KKProgressbar2 version 1.1.4.2 cross site request forgery proof of concept exploit. Exploit Title: WordPress Plugin KKProgressbar2 - Cross-Site Request Forgery CSRF Date: 2025-10-05 Exploit Author: Milad Karimi Ex3ptionaL Contact: [email protected] Zone-H:...

EUVD-2025-24076

Malicious code in bioql PyPI...

CVE-2025-8796

A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/deleteproject/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack...

CVE-2025-8796

A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/deleteproject/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack...

CVE-2025-8796 LitmusChaos Litmus Delete Request delete_project authorization

A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/deleteproject/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack...

CVE-2025-8796 LitmusChaos Litmus Delete Request delete_project authorization

A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/deleteproject/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack...

Siemens TeleControl Server Basic SQL注入漏洞

Siemens TeleControl Server Basic is an industrial remote controller from Siemens, Germany. Siemens TeleControl Server Basic suffers from an SQL injection vulnerability that stems from the lack of proper filtering of input in the internally used 'DeleteProject' method. An attacker could exploit th...

Tauri 安全漏洞

Tauri is a Tauri open source for building smaller, faster, and more secure desktop applications using a web front end. A security vulnerability exists in Tauri that stems from a vulnerability that allows an attacker to access the Tauri IPC endpoint and execute commands such as delete project via ...

Cross-Site Request Forgery (CSRF) in spiral-project/ihatemoney

✍️ Description CSRF bug to delete project 🕵️‍♂️ Proof of Concept 1. goto https://ihatemoney.org/ and create a new project and project-name is XXXX .\ Now bellow request is vulnerable to csrf attack which will delete the whole project \ https://ihatemoney.org/xxxx/delete 💥 Impact Attacker can...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in index.php in ProjectPier 0.8 and earlier allows remote attackers to perform actions as an administrator via the query string, as demonstrated by a delete project action...

CVE-2008-5583

Cross-site request forgery CSRF vulnerability in index.php in ProjectPier 0.8 and earlier allows remote attackers to perform actions as an administrator via the query string, as demonstrated by a delete project action...

projectpier-xssxsrf.txt

====================================================================== ProjectPier Impact: Cross Site Scripting Cross Site Request Forgery Status: patch available ------------------------------ Affected software description: ------------------------------ Application: ProjectPier Version: = 0.80...