Lucene search
K

56 matches found

NVD
NVD
added 6 days ago6 views

CVE-2026-45780

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This...

5.3CVSS0.00399EPSS
Exploits0References9
Cvelist
Cvelist
added 6 days ago39 views

CVE-2026-45780 Discourse: Private event sample invitees are serialized to non-invited event viewers

Discourse is an open-source discussion platform. Prior to 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5, EventSerializer could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event invitee list. This...

5.3CVSS0.00399EPSS
Exploits0References9
CVE
CVE
added 6 days ago14 views

CVE-2026-45780

CVE-2026-45780 affects Discourse prior to versions 2026.6.0, 2026.5.1, 2026.4.2, and 2026.1.5. The issue arises in EventSerializer, which could expose invited group names, sample invitees, and attendance statistics to users who could view the topic but were not entitled to view the private event ...

5.3CVSS5.9AI score0.00399EPSS
Exploits0References9Affected Software1
Positive Technologies
Positive Technologies
added 6 days ago7 views

PT-2026-56994

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.6.0 Discourse versions prior to 2026.5.1 Discourse versions prior to 2026.4.2 Discourse versions prior to 2026.1.5 Description The EventSerializer could expose invited group names, sample invitees, and attendan...

5.3CVSS6.1AI score0.00399EPSS
Exploits0References17
EUVD
EUVD
added 2026/07/01 12:34 a.m.7 views

EUVD-2026-40429

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perfor...

8.8CVSS5.8AI score0.00303EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/26 7:41 p.m.28 views

CVE-2026-44731 OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via "invited_user_id" in GET parameter "filters" leads to user names disclosure

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user account...

4.3CVSS0.00186EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 7:41 p.m.21 views

CVE-2026-44731

OpenProject contains an input leakage in the web application’s meetings filter feature that lets an attacker determine whether a user ID is valid and view the user’s full name, enabling enumeration of existing accounts. The issue occurs before versions 17.3.2 and 17.4.0 and is resolved by upgradi...

4.3CVSS5.8AI score0.00186EPSS
Exploits0References1
OSV
OSV
added 2026/06/26 7:41 p.m.3 views

CVE-2026-44731 OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via "invited_user_id" in GET parameter "filters" leads to user names disclosure

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user account...

4.3CVSS6AI score0.00186EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/01 8:48 p.m.6 views

CVE-2026-35514

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS5.7AI score0.00243EPSS
Exploits0References1
NVD
NVD
added 2026/04/30 7:16 p.m.7 views

CVE-2026-35514

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS0.00243EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/30 6:21 p.m.36 views

CVE-2026-35514 Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS0.00243EPSS
Exploits0References2
CVE
CVE
added 2026/04/30 6:21 p.m.14 views

CVE-2026-35514

Vulnerability overview : Chartbrew 4.9.0 contains an unauthenticated account creation bypass via POST /user/invited, which does not validate invite tokens, authentication headers, or sessions. This allows any unauthenticated user to create a fully active account and obtain a valid JWT, even when ...

6.5CVSS5.4AI score0.00243EPSS
Exploits0References2
OSV
OSV
added 2026/04/30 6:21 p.m.2 views

CVE-2026-35514 Unauthenticated Account Registration via /user/invited Bypasses All Signup Restrictions in Chartbrew

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS6AI score0.00243EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/30 12:0 a.m.10 views

chartbrew 访问控制错误漏洞

Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Version 4.9.0 of Chartbrew contains a security vulnerability related to access control. This vulnerability arises from the endpoint POST /user/invited, which does not validate any invitation tokens,...

6.5CVSS5.8AI score0.00243EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/30 12:0 a.m.8 views

PT-2026-36159

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoi...

6.5CVSS5.4AI score0.00243EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/04/20 7:22 p.m.7 views

CVE-2026-40196

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...

8.1CVSS5.7AI score0.00247EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/17 9:1 p.m.7 views

CVE-2026-40196

HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group, even after their access to that group was revoked. While the web interface correctly enforced the...

8.1CVSS5.7AI score0.00247EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2025/11/07 8:56 p.m.6 views

CVE-2025-64326

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed i...

3.5CVSS6.7AI score0.00181EPSS
Exploits0References1
PyPA
PyPA
added 2025/11/06 9:15 p.m.11 views

PYSEC-2025-230

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed i...

3.5CVSS5.8AI score0.00181EPSS
Exploits0References2Affected Software1
PyPA
PyPA
added 2025/11/06 9:15 p.m.11 views

PYSEC-2025-126

Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed i...

3.5CVSS5.8AI score0.00181EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder