6 matches found
PYSEC-2026-482 PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
Summary The Platform server exposes resources under /api/v1/workspaces/workspaceid/... and protects them with a requireworkspacememberworkspaceid FastAPI dependency. The dependency only checks that the caller is a member of the workspaceid in the URL prefix. The route handlers then look up the...
CVE-2026-13164
Missing Authentication for Critical Function CWE-306 in the RegisterView apps/accounts/views.py, exposed at POST /api/auth/register/, in MailerUp 1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, becaus...
PT-2026-51838
Name of the Vulnerable Software and Affected Versions MailerUp versions prior to 1.0.1 Description Missing authentication for a critical function in the RegisterView apps/accounts/views.py allows a remote, unauthenticated attacker to self-register an account on instances where registration should...
PraisonAI Platform has a cross-workspace IDOR + member-role privilege escalation
Summary The Platform server exposes resources under /api/v1/workspaces/workspaceid/... and protects them with a requireworkspacememberworkspaceid FastAPI dependency. The dependency only checks that the caller is a member of the workspaceid in the URL prefix. The route handlers then look up the...
PT-2026-45061
Name of the Vulnerable Software and Affected Versions PraisonAI Platform affected versions not specified Description The server contains multiple authorization flaws. First, a cross-tenant Insecure Direct Object Reference IDOR exists because the require workspace member dependency only validates...
CVE-2026-34947
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, staged user custom fields and username are exposed on public invite pages without email verification. This issue has been...