Lucene search
+L

22 matches found

CVE
CVE
added yesterday7 views

CVE-2026-35147

HCL DFXServer is affected by a Broken Authentication vulnerability via direct API access. The application fails to verify the user’s authentication status when accessing specific API endpoints, allowing an unauthenticated attacker to interact with the APIs and perform unauthorized actions without...

8.2CVSS6.1AI score
Exploits0References1
NVD
NVD
added 2026/06/09 9:16 a.m.14 views

CVE-2026-34905

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted...

6.5CVSS0.00325EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/09 7:35 a.m.40 views

CVE-2026-34905 Apache Answer: Unlisted Questions Accessible via Direct API Access

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted...

0.00325EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/18 7:5 a.m.41 views

CVE-2026-6341 Incomplete group locking implementation

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

4.3CVSS0.00152EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/18 7:5 a.m.10 views

CVE-2026-6341

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/18 7:5 a.m.10 views

CVE-2026-6341 Incomplete group locking implementation

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References1
OSV
OSV
added 2026/05/18 6:53 a.m.3 views

CVE-2026-3637 Mattermost fails to enforce create_post permission when editing posts

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

4.3CVSS5.9AI score0.00152EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.14 views

PT-2026-41642

Name of the Vulnerable Software and Affected Versions Mattermost versions 11.5.0 through 11.5.1 Mattermost versions 10.11.0 through 10.11.13 Mattermost versions 11.4.0 through 11.4.3 Description An issue exists where the software fails to verify the create post channel permission during post edit...

4.3CVSS5.8AI score0.00152EPSS
Exploits0References9
OSV
OSV
added 2026/05/15 7:34 p.m.3 views

CVE-2026-44561 Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the isuserchannelmember function checks whether a ChannelMember row exists but does not check the isactive field. When a user is deactivated from a group or DM channel removed by the...

5.4CVSS5.9AI score0.00178EPSS
Exploits1References3
AlpineLinux
AlpineLinux
added 2026/04/09 11:18 p.m.23 views

CVE-2026-5448

X.509 date buffer overflow in wolfSSLX509notAfter / wolfSSLX509notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS...

4.3CVSS5.6AI score0.00122EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/26 2:58 p.m.8 views

CVE-2026-4312

GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account...

9.8CVSS5.8AI score0.0045EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/27 4:1 p.m.30 views

CVE-2025-69418 Unauthenticated/unencrypted trailing bytes with low-level OCB function calls

Issue summary: When using the low-level OCB API directly with AES-NI orother hardware-accelerated code paths, inputs whose length is not a multipleof 16 bytes can leave the final partial block unencrypted and unauthenticated.Impact summary: The trailing 1-15 bytes of a message may be exposed...

0.00115EPSS
Exploits1References6
CVE
CVE
added 2025/12/05 6:26 p.m.14 views

CVE-2025-66581

Frappe LMS (versions before 2.41.0) has a server-side authorization flaw where endpoints relied on client-side checks, allowing authenticated low-privilege users (e.g., students) to perform actions outside their roles via the API. The issue is fixed in 2.41.0. Affected component: server-side perm...

6.5CVSS6.2AI score0.00181EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2025/11/27 7:10 p.m.8 views

CVE-2025-65966

OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0...

8.8CVSS6.8AI score0.00275EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2025-12325

Malicious code in bioql PyPI...

5.3CVSS6.6AI score0.00216EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/04/26 12:29 a.m.8 views

CVE-2025-3518

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...

5.3CVSS6.9AI score0.00216EPSS
Exploits0References1
NVD
NVD
added 2025/04/22 9:15 a.m.16 views

CVE-2025-3518

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...

5.3CVSS0.00216EPSS
Exploits0References1
CVE
CVE
added 2025/04/22 8:49 a.m.63 views

CVE-2025-3518

CVE-2025-3518 affects Unblu Spark (and related Unblu platform components) where a user can upload a file to a conversation via direct API requests even if the file upload feature is disabled for certain use cases. The configured per-use-case enable/disable setting is bypassed by direct API upload...

5.3CVSS6.5AI score0.00216EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2025/04/22 8:49 a.m.5 views

CVE-2025-3518 File upload functionality possible even when disabled

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the...

5.3CVSS6.8AI score0.00216EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/04/22 12:0 a.m.7 views

PT-2025-17490 · Unblu · Unblu Spark +1

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A user can upload a file to a conversation even if the file upload functionality is disabled. The system allows file uploads through direct API requests, despite the functionality being...

5.3CVSS6AI score0.00216EPSS
Exploits0References6
Rows per page
Query Builder