DEBIAN-CVE-2026-53655

node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extend...

CVE-2026-56253

Capgo before 12.128.2 contains an improper access control vulnerability in the public.getorgmembers RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sbpublishable key and an organization UUID to retrieve...

CVE-2026-56253 Capgo - Unauthenticated Organization Member Email Disclosure via get_org_members RPC

Capgo before 12.128.2 contains an improper access control vulnerability in the public.getorgmembers RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sbpublishable key and an organization UUID to retrieve...

CVE-2026-56253

Capgo is affected by an improper access control vulnerability in the public.get_org_members RPC prior to version 12.128.2. unauthenticated attackers can enumerate organization members by calling the endpoint with a public sb_publishable_* key and an organization UUID, exposing emails, user IDs, r...

CVE-2026-56253

Capgo before 12.128.2 contains an improper access control vulnerability in the public.getorgmembers RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sbpublishable key and an organization UUID to retrieve...

CVE-2026-10720 MicroCeph path traversal issue in the remote-import API

Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate such as enrolled cluster members or join token can manipulate files in an imported remote cluster within the...

Meta Tapped a Pentagon Supplier to Prototype Face Recognition for Its Glasses

Rank One, whose board includes a former CIA deputy director and a former FBI science chief, supplied face recognition to Meta for internal development of its smart glasses app...

ROOT-APP-NPM-CVE-2024-34448 CVE-2024-34448 in @rootio/tryghost__members-csv - Patched by Root

Root has patched CVE-2024-34448 in the @rootio/tryghostmembers-csv package for Root:npm. Multiple fixed versions available...

CVE-2026-47124 Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users...

CVE-2026-47124 Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users...

EUVD-2026-36593

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks no ownership check. This issue has been patched in version 2.0.8...

CVE-2026-47236

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...

CVE-2026-47236 Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...

CVE-2026-47236

CVE-2026-47236 affects the Solidtime open‑source time-tracking app prior to version 0.12.2. The root cause is insufficient access control in the Jetstream-backed team page: invitations:view and members:view permissions gate the official APIs, but the Jetstream page authorizes access with only bel...

CVE-2026-3433 Mattermost fails to scope role_updated websocket events to authorized team and channel members

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to restrict roleupdated websocket event broadcasts to members of the affected team or channel which allows an authenticated attacker with guest-level access to observe permission scheme change...

PT-2026-48954

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam and then loads and...

CVE-2026-47169 Quest Bot: Manage Server users can configure AutoRole to grant Administrator to controlled joining accounts

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the select...

keycloak: Keycloak: Information disclosure due to user profile permission bypass

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

CVE-2026-21037

Improper input validation in Samsung Members prior to version 5.8.01.5 allows local attackers to access arbitrary URL and launch arbitrary activity with Samsung Members privilege...

CVE-2026-36387

A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /addmembers.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE...