2882 matches found
Missing Authentication for Critical Function
Overview symfony/mailtrap-mailer is a Symfony Mailtrap Mailer Bridge Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the doParse webhook request parser in the Mailtrap mailer bridge. An attacker can submit forged webhook events because the pars...
CVE-2026-34233 CtrlPanel has Missing Authentication Checks in Datatable Admin Endpoints
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators onl...
CVE-2026-34233
CVE-2026-34233 affects CtrlPanel, an open-source billing app. In versions ≤1.1.1, multiple admin controllers expose DataTable endpoints that can be reached via GET and lack any authorization checks. Despite routes living under the /admin/ prefix, the route group middleware does not enforce admin-...
CVE-2026-8602
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings...
CVE-2026-8602 Missing authentication for critical function in ScadaBR
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings...
EUVD-2026-30960
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings...
PT-2026-41988
In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings...
CVE-2026-8737
A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a manipulation of the argume...
TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection
Title Missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce Ecosystem / Package - Ecosystem: Go or "Other" — TinyIce is shipped as a Go binary, not a Go module published to a registry - Package name: github.com/DatanoiseTV/tinyice Affected versions =...
GHSA-P7C4-8X34-8J8F TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection
Title Missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce Ecosystem / Package - Ecosystem: Go or "Other" — TinyIce is shipped as a Go binary, not a Go module published to a registry - Package name: github.com/DatanoiseTV/tinyice Affected versions =...
TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection
TinyIce's WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to WebRTCManager.HandleSourceOffer, which then accepted whatever audio/video tracks the peer published and broadcast the...
CVE-2026-8737 Sanluan PublicCMS Trade Address Query TradeAddressListDirective.java execute missing authentication
A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a manipulation of the argume...
CVE-2026-8737 Sanluan PublicCMS Trade Address Query TradeAddressListDirective.java execute missing authentication
A weakness has been identified in Sanluan PublicCMS 5.202506.d. This issue affects the function execute of the file publiccms-trade/src/main/java/com/publiccms/views/directive/trade/TradeAddressListDirective.java of the component Trade Address Query Handler. Executing a manipulation of the argume...
Missing Authentication For Critical Function
Sliver is vulnerable to Missing Authentication For Critical Function. The vulnerability is due to the DNS C2 listener allocating server-side sessions without validating TOTP values and lacking session cleanup, which allows an attacker to create excessive sessions and exhaust server memory...
@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
Summary A critical identity spoofing vulnerability in MCPHub allows any unauthenticated user to impersonate any other user — including administrators — on SSE Server-Sent Events and MCP transport endpoints. The server accepts a username from the URL path parameter and creates an internal user...
Missing Authentication for Critical Function
Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the getstatus function. An attacker can access sensitive configuration details by sending an unauthenticated HTTP GET request to the affected endpoint...
GHSA-65PG-QHHW-MXWG Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure
Vulnerability Type: Information Disclosure / Missing Authentication Severity: Medium Component: backend/openwebui/routers/retrieval.py — getstatus GET / Affected Endpoint: GET /api/v1/retrieval/ Affected Version: Open WebUI main branch — confirmed unpatched through v0.9.2 Authentication Required:...
Open WebUI Vulnerable to Unauthenticated RAG Configuration Disclosure
Vulnerability Type: Information Disclosure / Missing Authentication Severity: Medium Component: backend/openwebui/routers/retrieval.py — getstatus GET / Affected Endpoint: GET /api/v1/retrieval/ Affected Version: Open WebUI main branch — confirmed unpatched through v0.9.2 Authentication Required:...
CVE-2026-42572
Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...
CVE-2026-45371 SiYuan: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST...