21323 matches found
CVE-2026-40185
CVE-2026-40185 concerns TREK, a collaborative travel planner. It identifies missing authorization checks on the Immich trip photo management routes before version 2.7.2, which could allow unauthorized access to trip photos. The issue is addressed in TREK 2.7.2. The CVSS metrics indicate a high-se...
CVE-2026-40185 Missing Authorization on Immich Trip Photo Routes in TREK
TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the dashboard log endpoints. An attacker can access sensitive operational log data by sending authenticated requests to the log endpoints without requiring elevated privileges. Remediation Upgrade...
GHSA-CP79-9MWR-WR49 Ech0: Missing authorization on dashboard log endpoints allows low-privilege users to access sensitive system logs
Summary Ech0 allows any authenticated user to read historical system logs and subscribe to live log streams because the dashboard log endpoints validate only that a JWT is present and valid, but do not require an administrator role or privileged scope. Impact Any valid user session can access GET...
GHSA-GRRG-5CG9-58PF PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
Summary readskillfile in skilltools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skillpath parameter. Unlike filetools.readfile which enforces workspace boundary confinement, and unlike runskillscript which requires critical-level approval, readskillfile has...
Missing Authorization
Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Missing Authorization via the readskillfile function. An attacker can access sensitive files on the filesystem by supplying arbitrary paths ...
CVE-2026-39592
Missing Authorization vulnerability in Andy Ha DEPART depart-deposit-and-part-payment-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DEPART: from n/a through = 1.0.7...
CVE-2026-39609
Missing Authorization vulnerability in Wava.co Wava Payment wava-payment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wava Payment: from n/a through = 0.3.7...
CVE-2026-39605
Missing Authorization vulnerability in Obadiah Super Custom Login super-custom-login allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Custom Login: from n/a through = 1.1...
CVE-2026-39607
Missing Authorization vulnerability in Wpbens Filter Plus filter-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filter Plus: from n/a through = 1.1.17...
CVE-2026-39565
Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpTravelly: from n/a through = 2.1.7...
CVE-2026-39543
Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through = 2.21.4...
CVE-2026-39505
Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through = 3.14.2...
CVE-2026-39569
Missing Authorization vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 12 Step Meeting List: from n/a through = 3.19.9...
CVE-2026-39528
Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through = 1.9.5...
CVE-2026-39561
Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through = 2.0.7...
CVE-2026-39485
Missing Authorization vulnerability in embedplus Youtube Embed Plus youtube-embed-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Embed Plus: from n/a through = 14.2.4...
CVE-2026-39563
Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through = 2.12...
CVE-2026-35598 Vikunja has Missing Authorization on CalDAV Task Read
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...
CVE-2026-35598
Vikunja CalDAV Read vulnerability (CVE-2026-35598): CalDAV GetResource/GetResourcesByList fetch tasks by UID without enforcing authorization, allowing any authenticated CalDAV user who knows or guesses a task UID to read full task data from any project. Affects Vikunja before v2.3.0; fixed in v2....