CVE-2026-6491

Affected software and component: libvips (up to 8.18.2), specifically the nip2 Handler’s function im_minpos_vec in libvips/deprecated/vips7compat.c. Root cause / vulnerability: manipulation of the argument n leads to a heap-based buffer overflow. Impact (as stated): local attack feasibility with ...

CVE-2026-6491

A security vulnerability has been detected in libvips up to 8.18.2. The affected element is the function imminposvec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. An attack has to be approached...

Auth0-PHP 安全特征问题漏洞

Auth0-PHP is an open-source PHP SDK developed by Auth0 for authentication and management of APIs using Auth0. Versions of Auth0-PHP from 8.0.0 to 8.19.0 had security vulnerabilities. These vulnerabilities stemmed from the use of encryption methods with insufficient entropy when handling cookies...

CVE-2026-3282

A flaw has been found in libvips 8.19.0. This vulnerability affects the function vipsunpremultiplybuild of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alphaband can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been...

CVE-2026-3281

The CVE-2026-3281 vulnerability affects libvips 8.19.0, specifically the vips_bandrank_build function in libvips/conversion/bandrank.c. The issue is a heap-based buffer overflow triggered by manipulating the argument index. Attack requires local access, and public exploits exist. A patch is avail...

libvips 安全漏洞

libvips is an open-source fast image processing library with low memory requirements. Version 8.19.0 of libvips contains a security vulnerability, which stems from improper handling of the parameter “index” in the file “libvips/conversion/bandrank.c”. This vulnerability may lead to a heap-based...

CVE-2026-3284

A vulnerability was found in libvips 8.19.0. Impacted is the function vipsextractareabuild of the file libvips/conversion/extract.c. The manipulation of the argument extractarea results in integer overflow. The attack requires a local approach. The exploit has been made public and could be used...

libvips 安全漏洞

libvips is an open-source fast image processing library with low memory requirements. Versions of libvips 8.19.0 and earlier contain security vulnerabilities, which stem from a heap buffer overflow vulnerability in the vipssourcereadtomemory function...

CVE-2026-2209

A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotel...

CVE-2026-25560

WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication...

CVE-2026-25568

WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement...

CVE-2026-2209 WeKan Custom Translation translationBody.js setCreateTranslation improper authorization

A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotel...

CVE-2026-2209

A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotel...

EUVD-2026-5820

A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotel...

EUVD-2026-5711

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers such as boardId, cardId, swimlaneId, and listId are consistent and refer to a coherent card/board relationship, enabling attempts to upload...

PT-2026-6948

Name of the Vulnerable Software and Affected Versions Wekan versions prior to 8.19 Description A flaw exists in Wekan that allows for improper authorization. This issue is related to the setCreateTranslation function within the client/components/settings/translationBody.js file of the Custom...

CVE-2026-25562

WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users...

CVE-2026-25567

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user’s identifier. Affected software: ...

CVE-2026-25567

WeKan versions prior to 8.19 contain an insecure direct object reference IDOR in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier...

CVE-2026-25565

CVE-2026-25565 affects WeKan versions prior to 8.19. Affected component: card update API paths. Root cause: authorization check only validates board read access, not write permission, enabling users with read-only roles to perform card updates that should require write access. Impact: unauthorize...