5 matches found
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the Boards API when file ownership and access control are not properly validated. An attacker can gain unauthorized access to and download files belonging to other users or teams by...
CVE-2026-3473
Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs...
EUVD-2026-25372
The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxiremovecustomimagesize' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-leve...
GHSA-VPH7-R229-QXPF Focalboard doesn't validate file ownership when serving uploaded files
UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued...
Time-of-Check To Time-of-Use (TOCTOU) Race Condition
snowflake-sdk is vulnerable to a Time-of-Check to Time-of-Use TOCTOU race condition. The vulnerability is due to improper validation of file ownership and permissions during logging configuration loading, allowing an attacker to modify the file between the check and its use...