4450 matches found
CVE-2026-62147
The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces. Mitigation There is no mitigation or workarou...
PT-2026-57809
Name of the Vulnerable Software and Affected Versions Tempo Operator affected versions not specified Description The gateway component fails to consistently apply namespace-scoped redaction on certain query API response paths when query RBAC Role-Based Access Control is enabled. This allows an...
CVE-2026-56252
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...
CVE-2026-56252
Capgo before 12.128.2 is affected by a scope isolation vulnerability in the POST /webhooks/test endpoint. The issue allows app-scoped API keys to invoke organization-scoped webhook operations, enabling attackers with app-scoped credentials to trigger signed outbound webhook deliveries for arbitra...
CVE-2026-56252 Capgo - Scope Isolation Failure in Webhook Test Endpoint
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...
EUVD-2026-43225
Capgo before 12.128.2 contains a scope isolation vulnerability in the POST /webhooks/test endpoint that allows app-scoped API keys to invoke org-scoped webhook operations. Attackers with app-scoped credentials can trigger signed outbound webhook deliveries for arbitrary organization webhooks...
CVE-2026-55881
OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session path parameter, while validateProjectAccess checked only that the project belonged to the...
CVE-2026-54329 Snipe-IT: Cross-Tenant Accessory Injection in Snipe-IT API
Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the Accessories API create path mass-assigns request parameters to the Accessory model while companyid is mass assignable, allowing a low-privileged authenticated user in one company to create accessory records under another compa...
Improper Authorization
github.com/coder/coder is vulnerable to Improper Authorization. The vulnerability is due to insufficient validation in the UpsertWorkspaceApp and insertAgentApp functions, which fail to verify that a supplied application ID belongs to the workspace being built before performing a cross-workspace...
EUVD-2026-42458
Insufficient policy enforcement in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. Chromium security severity: High...
EUVD-2026-42460
Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-15131
Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-15130
Insufficient policy enforcement in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. Chromium security severity: High...
CVE-2026-15131
Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-15131
CVE-2026-15131 affects Google Chrome in the Navigation path where an inappropriate implementation could allow a remote attacker to bypass site isolation via a crafted HTML page. The issue is tied to Chromium security in the Navigation component and is classified as Medium severity. Affected versi...
CVE-2026-15131
Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-15130
Insufficient policy enforcement in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. Chromium security severity: High...
CVE-2026-15130
CVE-2026-15130 affects Google Chrome navigation policy enforcement. The vulnerability arises from insufficient policy enforcement in Navigation, enabling a remote attacker to bypass site isolation via a crafted HTML page. A fix is available in the Stable channel: Windows/Mac 150.0.7871.114/115 an...
CVE-2026-15130
Insufficient policy enforcement in Navigation in Google Chrome prior to 150.0.7871.115 allowed a remote attacker to bypass site isolation via a crafted HTML page. Chromium security severity: High...
CVE-2026-59896
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight...