CVE-2026-42593

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf +...

CVE-2026-39309

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...

CVE-2026-39309

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission...

CVE-2026-41649 Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces

Outline is a service that allows for collaborative documentation. The shares.create API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both collectionId and documentId are provided in the request, the authorization logic only checks...

CVE-2026-25927 OpenEMR Missing Authorization Checks in DICOM Viewer State API

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API e.g. upload or state save/load accepts a document ID docid without verifying that the document belongs to the current user’s authorized patie...

CVE-2026-23878

HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents PDFs, attachments associated...

UBUNTU-CVE-2025-64516

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item ticket, asset, .... If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed i...

EUVD-2025-206294

GLPI is a free asset and IT management software package. Prior to 10.0.21 and 11.0.3, an unauthorized user can access GLPI documents attached to any item ticket, asset, .... If the public FAQ is enabled, this unauthorized access can be performed by an anonymous user. This vulnerability is fixed i...

i2A CronosWeb 安全漏洞

i2A CronosWeb is an integration and automation tool for SAP environments from the Spanish company i2A. A security vulnerability exists in i2A CronosWeb version 25.00.00.12 and prior versions, which stems from the manipulation of the documentCode parameter that could lead to accessing other user...

CVE-2025-41114

CanalDenuncia.app is affected by a missing authorization vulnerability allowing an attacker to access other users’ information via a POST to /backend/api/buscarDocumentosByIdDenunciaUsuario.php with id_denuncia and id_user. The root cause is improper authorization validation for these parameters,...

EUVD-2025-37320

Therefore Corporation GmbH has recently become aware that Therefore™ Online and Therefore™ On-Premises contain an account impersonation vulnerability. A malicious user may potentially be able to impersonate the web service account or the account of a service using the API when connecting to the...

EUVD-2023-58582

Malicious code in bioql PyPI...

EUVD-2025-10293

Malicious code in bioql PyPI...

CVE-2025-59686

Kazaar 1.25.12 allows /api/v1/org-id/orders/order-id/documents calls with a modified order-id...

CVE-2025-59686

Kazaar 1.25.12 allows /api/v1/org-id/orders/order-id/documents calls with a modified order-id...

CVE-2025-59686

Kazaar 1.25.12 has a vulnerability in the API endpoint /api/v1/org-id/orders/order-id/documents where a modified order-id allows an insecure direct object reference. Root cause: manipulation of the order-id parameter. Impact: potential unauthorized access or data manipulation for orders. Exploita...

CVE-2025-55149 Path Traversal Vulnerability in PDF Review Function (CWE-22)

Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research—from ideation to implementation, writing, and review. In versions 0.1.1 and below, a critical path traversal vulnerability has been identified in the reviewpaper function in backend/app.py. The...

Apple macOS Ventura 安全漏洞

Apple macOS Ventura is a desktop operating system from Apple Inc. in the United States. A security vulnerability exists in Apple macOS Ventura version 13.4, which originates from an unauthenticated user who may be able to access recently printed documents...

Citrix Systems Citrix ShareFile storage zones Controller path traversal vulnerability (CNVD-2020-41789)

Citrix Systems Citrix ShareFile is a file sharing solution from Citrix Systems. storage zones Controller is one of the storage zone controllers. A security vulnerability exists in Citrix Systems Citrix ShareFile storage zones Controller. An attacker could exploit this vulnerability to access...

CVE-2019-8770

The issue was addressed with improved permissions logic. This issue is fixed in macOS Catalina 10.15. A malicious application may be able to access recent documents...