CVE-2026-6341

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

CVE-2026-6341 Incomplete group locking implementation

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

CVE-2026-6341 Incomplete group locking implementation

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

PT-2026-41642

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the create post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update an...

CVE-2026-5448

X.509 date buffer overflow in wolfSSLX509notAfter / wolfSSLX509notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS...

CVE-2026-4312

GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account...

CVE-2025-69418 Unauthenticated/unencrypted trailing bytes with low-level OCB function calls

Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof 16 bytes can leave the final partial block unencrypted and unauthenticated.Impact summary: The trailing 1-15 bytes of a message may be exposed...

CVE-2025-66581

Frappe LMS (versions before 2.41.0) has a server-side authorization flaw where endpoints relied on client-side checks, allowing authenticated low-privilege users (e.g., students) to perform actions outside their roles via the API. The issue is fixed in 2.41.0. Affected component: server-side perm...

CVE-2025-65966

OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0...

EUVD-2025-12325

Malicious code in bioql PyPI...

CVE-2025-3518

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...

CVE-2025-3518

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...

CVE-2025-3518 File upload functionality possible even when disabled

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...

CVE-2025-3518

CVE-2025-3518 affects Unblu Spark (and related Unblu platform components) where a user can upload a file to a conversation via direct API requests even if the file upload feature is disabled for certain use cases. The configured per-use-case enable/disable setting is bypassed by direct API upload...

PT-2025-17490 · Unblu · Unblu Spark +1

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A user can upload a file to a conversation even if the file upload functionality is disabled. The system allows file uploads through direct API requests, despite the functionality being...

Improper access control

Dalmark Systems Systeam 2.22.8 build 1724 is vulnerable to Incorrect Access Control. The Systeam application is an ERP system that uses a mixed architecture based on SaaS tenant and user management, and on-premise database and web application counterparts. A broken access control vulnerability ha...

Server side request forgery (ssrf)

InterMind iMind Server through 3.13.65 allows remote unauthenticated attackers to read the self-diagnostic archive via a direct api/rs/monitoring/rs/api/system/dump-diagnostic-info?server=127.0.0.1 request...