Lucene search
K

72 matches found

EUVD
EUVD
added 2026/06/12 6:11 p.m.8 views

EUVD-2026-36530

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...

4.3CVSS5.2AI score0.00183EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2026/05/26 11:49 a.m.25 views

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions

Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be met. The vulnerability, tracked as CVE-2026-45659 , carries a CVSS score of 8.8. It has been...

8.8CVSS6.6AI score0.02781EPSS
Exploits3
OSV
OSV
added 2026/05/23 12:8 a.m.9 views

GHSA-W4G9-MXGG-J532 Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification

Summary nezha's dashboard supports two user roles: RoleAdmin Role==0 and RoleMember Role==1. The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers...

8.5CVSS5.8AI score0.0027EPSS
Exploits0References4
NVD
NVD
added 2026/05/08 3:16 p.m.18 views

CVE-2026-41487

Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An authenticated, low-privileged user of role “member” in a project could request the update of an...

5.4CVSS0.00181EPSS
Exploits0References6
CVE
CVE
added 2026/05/08 2:27 p.m.23 views

CVE-2026-41487

CVE-2026-41487 affects Langfuse (open source LLM engineering platform). From version 3.68.0 up to before 3.167.0, a role-based access control flaw in the LLM connection update flow allowed an authenticated, low-privilege user with the role “member” in a project to request updating an LLM connecti...

5.4CVSS5.7AI score0.00181EPSS
Exploits0References6Affected Software1
CNNVD
CNNVD
added 2026/05/04 12:0 a.m.9 views

n8n 安全漏洞

n8n is an open-source, scalable workflow automation tool developed by n8n. Versions of n8n prior to 1.123.32, 2.17.4, and 2.18.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of enforcement of project member checks on public API variable endpoints, allowing...

6.5CVSS5.8AI score0.00203EPSS
Exploits0References1
CNVD
CNVD
added 2026/04/08 12:0 a.m.4 views

OpenClaw has an unspecified vulnerability (CNVD-2026-16696)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that can be exploited by an attacker to cause non-whitelisted guild members to trigger reactive events and inject reactive text into downstream session environments...

5.4CVSS5.7AI score0.00151EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2026/04/07 7:37 p.m.3 views

CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

6.5CVSS5.9AI score0.00208EPSS
Exploits1References1
OSV
OSV
added 2026/04/03 3:17 a.m.1 views

GHSA-CQGW-44WG-44RF OpenClaw: Discord voice manager bypasses channel-level member access allowlist

Summary Discord voice manager bypasses channel-level member access allowlist Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still accepts Discord voice ingress before channel allowlist authorization, and main-only gating means this remains a real...

5.3CVSS5.9AI score0.00222EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/31 12:0 a.m.7 views

iccDEV 安全漏洞

iccDEV is an open-source color configuration code library developed by the International Color Consortium. Versions of iccDEV prior to 2.3.1.6 contained security vulnerabilities. These vulnerabilities stemmed from unaligned member access during the processing of custom ICC configuration files,...

6.2CVSS5.9AI score0.00156EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.7 views

PT-2026-28075

n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with the global:member role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials httpBasicAuth,...

8.5CVSS6AI score0.00392EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/09 11:20 a.m.7 views

CVE-2021-22193

An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project...

3.5CVSS6.4AI score0.00991EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 10:8 a.m.6 views

CVE-2019-20869

An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8.2, and 4.10.9. A non-member could change the Update/Patch Channel endpoint for a private channel...

5.3CVSS6.9AI score0.00811EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:54 a.m.8 views

CVE-2025-1792

Mattermost versions 10.7.x = 10.7.0, 10.5.x = 10.5.3, 9.11.x = 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint...

3.1CVSS6.6AI score0.00205EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/05 8:41 p.m.28 views

CVE-2025-64423 Coolify has a Privilege Escalation - low privileged users can see and use admin invitation links

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, a low privileged user member can see and use invitation links sent to an administrator. When they use the link before the legitimate recipie...

7.7CVSS0.00292EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2025/12/19 4:24 p.m.1 views

CVE-2025-58052 Galette has groups managers access control bypass on Members

Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires...

5.3CVSS6.3AI score0.00271EPSS
Exploits1References1
OSV
OSV
added 2025/12/05 12:15 a.m.7 views

CVE-2025-14052

A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected by this vulnerability is the function getMemberById of the file /mall-ums/app-api/v1/members/. The manipulation of the argument memberId leads to improper access controls. The attack is possible to be carried out...

6.5CVSS5.3AI score0.00221EPSS
Exploits1References4
CNNVD
CNNVD
added 2025/11/26 12:0 a.m.3 views

Files 授权问题漏洞

Files is a single-file PHP application by the individual developer Karl Ward. It can be dragged and dropped into any directory, allowing browsing of the files and directories within. An authorization issue vulnerability exists in Files versions prior to 0.16.11 and 0.17.2, which stems from...

5.4CVSS6.6AI score0.00157EPSS
Exploits0References3
CVE
CVE
added 2025/11/25 11:38 p.m.9 views

CVE-2025-65963

CVE-2025-65963 affects the Files module used to manage files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users in public spaces to create folders and to upload or download files as a ZIP archive; private spaces are not ...

5.4CVSS6.4AI score0.00157EPSS
Exploits0References2
OSV
OSV
added 2025/11/25 11:38 p.m.4 views

CVE-2025-65963 CFiles Unauthorized Folder/ZIP Access in Public Spaces

Files is a module for managing files inside spaces and user profiles. Prior to versions 0.16.11 and 0.17.2, insufficient authorization checks allow non-member users to create new folders, up- and download files as a ZIP archive in public spaces. Private spaces are not affected. This issue has bee...

5.4CVSS6.6AI score0.00157EPSS
Exploits0References4
Rows per page
Query Builder