Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via disclosure of the link share hash combined with an insecure direct object reference in attachment handling. An attacker can access sensitive data across the entire instance by chainin...

GO-2026-4855 Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If thi...

GO-2026-4850 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

GO-2026-4848 Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...

CVE-2021-4474

creationtimestamp| type| source ---|---|--- 2026-03-26 20:25:01+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhygqwfvmb2s...

CVE-2026-33505

creationtimestamp| type| source ---|---|--- 2026-03-26 20:14:55+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhyg6ucvzd2z 2026-03-26 21:36:40+00:00| seen| Telegram/gdbQBvnuOgX0zlyJL9kfjxoCoTp9WBTGn5-zeTA4spKkwcA 2026-04-18 09:37:07+00:00| seen|...

CVE-2026-3190

creationtimestamp| type| source ---|---|--- 2026-03-26 20:07:22+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhyfre7bhx22...

CVE-2026-33537

Lychee (open-source photo management) is affected by an SSRF issue in Photo::fromUrl due to incomplete IP validation that does not block loopback and link-local addresses. Before version 7.5.1, an authenticated user could reach internal services via direct IPs, bypassing all four protection confi...

EUVD-2026-16369

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...

CVE-2026-33537

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...

CVE-2026-33537 Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...

CVE-2026-33537 Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...

CVE-2026-4851

creationtimestamp| type| source ---|---|--- 2026-03-26 19:35:49+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mhydyx4lem27 2026-03-29 01:30:30+00:00| seen| https://infosec.exchange/users/offseq/statuses/116309873682821772 2026-03-31 21:19:21+00:00| published-proof-of-concept|...

CVE-2026-33149

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWEDHOSTS = '' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.buildabsoluteu...

CVE-2026-33525

creationtimestamp| type| source ---|---|--- 2026-03-26 19:16:14+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-33525 2026-03-26 19:54:48+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhyf2uyiqb2j...

CVE-2026-3098

creationtimestamp| type| source ---|---|--- 2026-03-26 19:05:09+00:00| seen| https://bsky.app/profile/mysites.guru/post/3mhycc3upol2b 2026-03-27 03:16:03+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-3098 2026-03-29 19:00:26+00:00| seen|...

CVE-2026-26074

creationtimestamp| type| source ---|---|--- 2026-03-26 18:58:31+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mhybwb2tdh2e 2026-03-31 05:20:08+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3midgjihdb62c...

CVE-2026-4923

creationtimestamp| type| source ---|---|--- 2026-03-26 18:56:15+00:00| seen| https://bsky.app/profile/ulisesgascon.com/post/3mhybs4t2sk27 2026-03-26 20:17:55+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhygeac6dl2i...

CVE-2026-33149

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWEDHOSTS = '' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.buildabsoluteu...

CVE-2026-33149 Tandoor Recipes Vulnerable to Host Header Injection

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Versions up to and including 2.5.3 set ALLOWEDHOSTS = '' by default, which causes Django to accept any value in the HTTP Host header without validation. The application uses request.buildabsoluteu...