CVE-2026-35514

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

CVE-2026-35514

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

CVE-2026-35514 Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

CVE-2026-35514

Vulnerability overview : Chartbrew 4.9.0 contains an unauthenticated account creation bypass via POST /user/invited, which does not validate invite tokens, authentication headers, or sessions. This allows any unauthenticated user to create a fully active account and obtain a valid JWT, even when ...

PT-2026-36159

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

chartbrew 访问控制错误漏洞

Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Version 4.9.0 of Chartbrew contains a security vulnerability related to access control. This vulnerability arises from the endpoint POST /user/invited, which does not validate any invitation tokens,...

CVE-2026-40196

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...

CVE-2026-40196

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...

CVE-2025-64326

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed i...

PYSEC-2025-230

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed i...

PYSEC-2025-126

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed i...

CVE-2025-64326 Weblate leaks the IP of project members inviting users to assume reviewer roles in Audit log

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed i...

GHSA-GR35-VPX2-QXHC Weblate leaks the IP of project member inviting user to be reviewer in Audit log

Summary Weblate leaks the IP address of the project member inviting the user to the project in the audit log. Details The audit log included IP addresses from admin-triggered actions, and those could be viewed by invited users. Impact The inviting user's admin's IP address could be leaked to...

lemlist: Unauthorized Password Reset Allows Account Takeover Across Tenant Boundaries

An authorization issue was discovered in the application that allowed a tenant admin to change the password of another user within the same tenant, including invited agency accounts. The victim had to first accept the invitation before the attacker could proceed. The issue could allow unintended...

Linux Distros Unpatched Vulnerability : CVE-2021-22249

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group CVE-2021-22249 Note...

Linux Distros Unpatched Vulnerability : CVE-2021-22264

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions...

CVE-2021-22249

A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group...

Fides 安全漏洞

Fides is an open source privacy engineering platform open-sourced by Ethyca to manage the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A security vulnerability exists in Fides that stems from a user invitation to accept an...

GitLab 13.8 < 14.0.9 / 14.1 < 14.1.4 / 14.2 < 14.2.2 (CVE-2021-22264)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab affecting all versions starting from 13.8 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. Under...

PT-2022-24944 · Discourse · Discourse

Name of the Vulnerable Software and Affected Versions: Discourse affected versions not specified Description: The issue affects the Discourse open source discussion platform, where in rare cases, users redeeming an invitation can be added as a participant to several private message topics they...