PT-2026-43305

Name of the Vulnerable Software and Affected Versions Bugsink versions prior to 2.2.0 Description Bugsink is a self-hosted error tracking tool. A project-boundary authorization issue exists where issue event pages accept a direct event identifier from the URL and retrieve the event without...

CVE-2026-4057 Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the makeMediaPublic and makeMediaPrivate functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for editposts capability...

CVE-2026-26272 HomeBox affected by Stored XSS via HTML/SVG Attachment Upload

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting XSS vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload...

EUVD-2026-9333

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting XSS vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload...

CVE-2026-26272

CVE-2026-26272 – HomeBox is affected by a stored XSS in the item attachment upload feature. An authenticated user can upload HTML or SVG files containing JavaScript due to improper validation of file types; attachments are served via direct links and the script runs in the app’s origin when opene...

CVE-2026-26272

HomeBox is a home inventory and organization system. Prior to 0.24.0-rc.1, a stored cross-site scripting XSS vulnerability exists in the item attachment upload functionality. The application does not properly validate or restrict uploaded file types, allowing an authenticated user to upload...

SUSE SLES15 Security Update : kernel (Live Patch 59 for SLE 15 SP3) (SUSE-SU-2025:03672-1)

The remote SUSE Linux SLES15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:03672-1 advisory. This update for the Linux Kernel 5.3.18-15030059211 fixes several issues. The following security issues were fixed: - CVE-2025-38499:...

Sensitive Data Exposure

@finos/git-proxy is vulnerable to sensitive data exposure. The vulnerability is due to improper validation of commits in the pack sent to GitHub, which allows an attacker to inject unreferenced commits containing sensitive data and retrieve them via direct commit URLs without appearing in the...

Unveiling Usability Challenges in Web Privacy Controls

With the increasing concerns around privacy and the enforcement of data privacy laws, many websites now provide users with privacy controls. However, locating these controls can be challenging, as they are frequently hidden within multiple settings and layers. Moreover, the lack of standardizatio...

The vulnerability of the femanager extension of the TYPO3 content management system allows a hacker to gain unauthorized access to protected information.

The vulnerability of the femanager extension of the TYPO3 content management system is related to the use of insecure direct links to objects. Exploiting this vulnerability could allow an attacker, operating remotely, to gain unauthorized access to protected information...

UBUNTU-CVE-2023-5117

An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be accessed without authentication via a direct link to the uploaded file URL...

GitLab Community Edition和GitLab Enterprise Edition 安全漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are both products of GitLab, Inc. GitLab Enterprise Edition is a content management system. GitLab Enterprise Edition is a content management system. A security vulnerability exists in GitLab Enterprise Edition EE and GitLab Community...

The vulnerability of the virtual learning environment Moodle, related to the use of insecure direct links to objects, allows a intruder to gain unauthorized access to protected information.

The vulnerability in the virtual learning environment Moodle is related to the use of insecure direct links to objects, resulting from incorrect access control. Exploiting this vulnerability can allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

PT-2024-27120 · Weblir · Weblir Login As Customer Pro

Name of the Vulnerable Software and Affected Versions: Weblir Login as customer PRO module versions prior to 1.2.7 Description: The issue allows a guest to access a direct link to connect to each customer account of the shop if the module is not installed or if a secret accessible to the...

The vulnerability of the Merge request approvals function in the software platform based on Git for collaborative code development on GitLab allows a violator to gain unauthorized access to protected information.

The vulnerability of the Merge request approvals function in a Git-based software platform for collaborative code development on GitLab is related to the provision of direct links to objects. Exploiting this vulnerability could allow an attacker, operating remotely, to gain unauthorized access to...

CVE-2023-31434

The parameters nutzertitel, nutzervn, and nutzernn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations...

CVE-2023-31434

The parameters nutzertitel, nutzervn, and nutzernn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations...

Code injection

The parameters nutzertitel, nutzervn, and nutzernn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations...

CVE-2023-31434

The parameters nutzertitel, nutzervn, and nutzernn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations...

Viki Solutions Viki Vera Access Control Error Vulnerability

Viki Solutions Viki Vera is a suite of workflow customization platforms from Canadian company Viki Solutions. The platform supports file uploading, job management, and other features. An access control error vulnerability exists in Viki Vera version 4.9.1.26180, which is related to the affected...