CKAN 信任管理问题漏洞

CKAN is an open-source data management system developed by CKAN contributors. It is used to power data centers and data portals. Versions of CKAN prior to 2.10.10 and 2.11.5 contained a trust management vulnerability. This vulnerability stemmed from the possibility that the configured SMTP server...

CVE-2026-6411

The CVE-2026-6411 issue affects MAXHUB Pivot client applications before v1.36.2. It stems from a hardcoded AES key, allowing decrypting encrypted tenant email addresses and related metadata, resulting in cleartext exposure. Additionally, an attacker could trigger a denial-of-service by enrolling ...

Improper Access Control

Mattermost is vulnerable to improper access control. The vulnerability is due to insufficient sanitization and access restrictions on team email addresses, which allows an authenticated user to exploit the GET /api/v4/channels/channelid/commonteams endpoint to view sensitive team email informatio...

CVE-2026-35400 LORIS incorrectly trusts user input in publication module

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's PO...

CVE-2026-33761

WWBN AVideo is an open source video platform. In versions up to and including 26.0, three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories add.json.php, delete.json.php, index.php requires User::isAdmin. An...

CVE-2026-33761

WWBN AVideo is an open source video platform. In versions up to and including 26.0, three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories add.json.php, delete.json.php, index.php requires User::isAdmin. An...

CVE-2026-30244

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission...

CVE-2026-2025

Mail Mint WordPress plugin versions prior to 1.19.5 contain an information disclosure vulnerability due to missing authorization on a REST API endpoint, allowing unauthenticated users to retrieve email addresses of blog users. Affected versions:

PT-2026-22423

Name of the Vulnerable Software and Affected Versions Statmatic versions prior to 5.73.11 Statmatic versions prior to 6.4.0 Description Statmatic is a Laravel and Git powered content management system CMS. Before versions 5.73.11 and 6.4.0, user email addresses were included in responses from the...

CVE-2026-26031

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students by email in batches. This vulnerability is fixed ...

CVE-2026-26031 Frappe LMS affected by unauthorised user was able to access the full list of batch enrolled students

Frappe Learning Management System LMS is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students by email in batches. This vulnerability is fixed ...

CVE-2026-24933 An improper certificate validation vulnerability was found in ADM while sending HTTPS requests to the server.

The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to intercept the cleartext communication,...

CVE-2026-24422

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list endpoint calls Question::getAll with showAll=true by default, returning...

Information Exposure

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Information Exposure via OpenQuestionController::list. An attacker can access sensitive email addresses and non-public records by sending requests to...

SUSE CVE-2025-12559

Mattermost versions 11.0.x = 11.0.2, 10.12.x = 10.12.1, 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/channelid/commonteams endpoint...

CVE-2025-69284

CVE-2025-69284 affects the open-source project management tool Plane (plane.io). Before version 1.2.0, a guest user could access the API endpoint /api/workspaces/:slug/members/ and enumerate members of a workspace they joined. The response’s display_name is the email handler, allowing a malicious...

CVE-2025-13741

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it...

CVE-2025-13741 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it...

CVE-2025-13741 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it...

PT-2025-51474

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it...