BIT-AUTHENTIK-2023-39522 Username enumeration attack in goauthentik

goauthentik is an open-source Identity Provider. In affected versions using a recovery flow with an identification stage an attacker is able to determine if a username exists. Only setups configured with a recovery flow are impacted by this. Anyone with a user account on a system with the recover...

PT-2026-25684

Mattermost allows a removed team member to enumerate all public channels within a private team in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causi...

CVE-2026-27449

Umbraco Engage is a business intelligence platform. A vulnerability has been identified in Umbraco Engage prior to versions 16.2.1 and 17.1.1 where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the...

Umbraco CMS 安全漏洞

Umbraco CMS is a content management system from Umbraco, Denmark. A security vulnerability exists in Umbraco CMS versions 10.0.0 through 13.12.0, which stems from improper handling of temporary files and could lead to a file enumeration attack...

GHSA-4VCF-Q4XF-F48M Better Auth Passkey Plugin allows passkey deletion through IDOR

Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey. Details ctx.body.id is implicitly trusted and used in passkey deletion queries. better-auth applications configured with...

EUVD-2025-177193

Directus's conceal fields are searchable if read permissions enabled...

CVE-2025-64748

Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...

CVE-2025-64748 Directus's conceal fields are searchable if read permissions enabled

Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked , successful matches can be detected...

CVE-2025-64748

CVE-2025-64748 affects Directus (real-time API and app dashboard for SQL databases). Prior to 11.13.0, authenticated users with read permissions can search concealed/sensitive fields; while actual values are masked, matching records reveal existence of those values, enabling data enumeration. Aff...

PT-2025-46914

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.13.0 Description Directus allows authenticated users to search concealed or sensitive fields when they have read permissions. While the actual values are masked, successful matches can be detected through returned...

SICK AG Baggage Analytics 安全漏洞

SICK AG Baggage Analytics is a visualization and analysis software for airport tracking systems from SICK AG, Germany. A security vulnerability exists in SICK AG Baggage Analytics that stems from a lack of authentication and could lead to a user enumeration attack...

EUVD-2025-13659

Malicious code in bioql PyPI...

EUVD-2024-2261

Malicious code in bioql PyPI...

EUVD-2022-28958

Malicious code in bioql PyPI...

EUVD-2023-3163

Malicious code in bioql PyPI...

Liferay Portal exposes ERC which can lead to exploit the time response attack

Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit t...

Yealink YMCS RPS 安全漏洞

Yealink YMCS RPS is a device management cloud service platform with integrated RPS functionality from China Yealink Yealink. A security vulnerability exists in Yealink YMCS RPS versions prior to 2025-06-04, which stems from a lack of SN authentication attempt limitations that could lead to brute...

CVE-2024-47057

SummaryThis advisory addresses a security vulnerability in Mautic related to the "Forget your password" functionality. This vulnerability could be exploited by unauthenticated users to enumerate valid usernames. User Enumeration via Timing Attack: A user enumeration vulnerability exists in the...

CVE-2023-6595

In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold...

CVE-2023-39289

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2208.101 could allow an unauthenticated attacker to conduct an account enumeration attack due to improper configuration. A successful exploit could allow an attacker to access system information...