1142 matches found
Zimbra Collaboration - Cross-Site Scripting (XSS)
An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0. A Cross-Site Scripting XSS vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this v...
CVE-2026-56312
Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...
EUVD-2026-42884
Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...
CVE-2026-56312
Capgo before 12.128.2 is affected by an improper validation vulnerability in the accept_invitation endpoint. The issue allows bypassing captcha validation to create user accounts, potentially wasting invite links and enabling unauthorized account creation. Affected product/version: Capgo prior to...
CVE-2026-56312 Capgo - Account Creation Before CAPTCHA Validation in accept_invitation Endpoint
Capgo before 12.128.2 contains an improper validation vulnerability in the acceptinvitation endpoint that creates user accounts before captcha validation is enforced. Attackers can bypass captcha protection by sending POST requests with invalid captcha tokens to create unwanted accounts and burn...
EUVD-2026-42714
An Improper Validation of Syntactic Correctness of Input vulnerability in the SIP plugin of Juniper Networks Junos OS on MX Series with SPC3 and SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service DoS.If the SIP ALG is enabled on an affected device, the...
CVE-2026-57026
CVE-2026-57026 affects Junos OS on MX Series with SPC3 and SRX Series . The issue is an Improp er Validation of Syntactic Correctness of Input in the SIP plugin, enabling an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) . When the SIP ALG is enabled, processing a malf...
EUVD-2026-40438
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...
EUVD-2026-40440
Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...
CVE-2026-56331
Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...
CVE-2026-56327
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...
CVE-2026-56331
Capgo before 12.128.2 is affected by improper error handling in the /private/accept_invitation endpoint. The vulnerability causes HTTP 500 errors instead of safe 4xx responses when magic_invite_string is invalid, potentially leaking internal processing details. Attackers can trigger this using on...
CVE-2026-56331 Capgo - Improper Error Handling in Accept Invitation Endpoint via Invalid Magic String
Capgo before 12.128.2 contains improper error handling in the /private/acceptinvitation endpoint that returns HTTP 500 instead of safe 4xx errors when magicinvitestring is invalid. Attackers can trigger this vulnerability using only the public key by submitting malformed magicinvitestring values ...
CVE-2026-56327
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.invite_user_to_org RPC that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call a SECURITY DEFINER function with a publishable API key to...
CVE-2026-56327
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...
CVE-2026-56327 Capgo - Unauthenticated Organization Existence Oracle via public.invite_user_to_org RPC
Capgo before 12.128.2 contains an information disclosure vulnerability in the public.inviteusertoorg RPC function that allows unauthenticated attackers to enumerate organization existence by observing distinct error responses. Attackers can call the SECURITY DEFINER function with a publishable AP...
CVE-2026-46552 NocoDB: Shared-base link access can invite arbitrary users as persistent base members
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email in...
CVE-2026-46552
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email in...
CVE-2026-46552 NocoDB: Shared-base link access can invite arbitrary users as persistent base members
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email in...
CVE-2017-20256 Joomla Survey Force Deluxe 3.2.4 SQL Injection via invite Parameter
Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite parameter. Attackers can send GET requests to the component with crafted SQL payloads in the invite...