6 matches found
CVE-2026-10549
CVE-2026-10549 describes an LDAP filter injection in Yandex Database leading to bypass of group membership checks and unauthorized access for an attacker with valid LDAP credentials. Affected product: Yandex Database before version 25.3.1.25. Root cause: LDAP filter injection in the authenticatio...
CVE-2026-44426
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list user IDs, e-mails, roles, settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own...
GHSA-756Q-GQ9H-FP22 n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure
Impact An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing...
Incomplete Comparison with Missing Factors
Overview Affected versions of this package are vulnerable to Incomplete Comparison with Missing Factors in the cryptocoreed25519isvalidpoint function when handling certain custom cryptography or untrusted data. An attacker can bypass intended cryptographic group membership checks by supplying...
CVE-2025-13767 Unauthorized Read Access to Private Channel Posts via Mattermost Jira Plugin
Mattermost versions 11.1.x = 11.1.0, 11.0.x = 11.0.5, 10.12.x = 10.12.3, 10.11.x = 10.11.7 fails to validate user channel membership when attaching Mattermost posts as comments to Jira issues, which allows an authenticated attacker with access to the Jira plugin to read post content and attachmen...
(Plone): Anonymous users can list user account names
It was discovered that Plone, included as a part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially crafted URL that, when processed, could allow the attacker to enumerate user account names...