Lucene search
K

34362 matches found

CVE
CVE
added 2026/03/24 3:44 p.m.17 views

CVE-2026-33678

Vikunja prior to 2.2.1 suffers an IDOR: TaskAttachment.ReadOne() queries by attachment ID only and ignores the URL task_id, allowing any authenticated user to access or delete attachments across projects by supplying their own task_id. The read path validates the URL task, but ReadOne() loads the...

8.1CVSS5.8AI score0.00265EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/03/24 12:57 p.m.25 views

CVE-2026-33484

Langflow exposes an unauthenticated IDOR on image downloads via /api/v1/files/images/{flow_id}/{file_name} in versions 1.0.0–1.8.1. An attacker who can discover or guess a flow_id can download any user’s uploaded images without credentials in multi-tenant deployments. A patch is available in vers...

7.5CVSS5.8AI score0.05838EPSS
Exploits1References1Affected Software1
Debian CVE
Debian CVE
added 2026/03/24 12:30 p.m.9 views

CVE-2026-4689

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9...

10CVSS7.9AI score0.00665EPSS
Exploits0
Imperva Blog
Imperva Blog
added 2026/03/24 11:11 a.m.5 views

API Security for AI Agents: Why Protection Has Never Been More Important.

For years, a lot of risky APIs survived simply because they were hard to find. They weren’t documented. Only a handful of engineers knew the endpoints. And if an attacker wanted to abuse them, they had to spend real time reverse‑engineering traffic and guessing how things worked. That “security b...

5.9AI score
Exploits0
OSV
OSV
added 2026/03/24 9:6 a.m.2 views

MAL-2026-2416 Malicious code in oc-ccp-module-client (npm)

Malware due to hex obfuscation, suspicious install script, dynamic module loading, OS command access, process object access, and untrustworthy project. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2b4b9cee1369c441aa8d759bc04085a8e2b14786df20656a8c6bc249e6260...

5.8AI score
Exploits0References1
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.5 views

Silicon Labs Simplicity Studio 安全漏洞

Silicon Labs Simplicity Studio is an integrated development environment for embedded system development and debugging provided by Silicon Labs, a company in the United States. There is a security vulnerability in Silicon Labs Simplicity Studio, which stems from the acceptance of user-controllable...

2.1CVSS5.8AI score0.00443EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/23 8:45 p.m.23 views

CVE-2026-23487 Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4...

6CVSS0.0022EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/23 8:45 p.m.1 views

CVE-2026-23487 Blinko: IDOR - user.detail Endpoint Leaks Superadmin Token

Blinko is an AI-powered card note-taking project. Prior to version 1.8.4, there is an IDOR vulnerability where user.detail Endpoint Leaks the Superadmin Token. This issue has been patched in version 1.8.4...

6CVSS5.7AI score0.0022EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/23 8:30 p.m.8 views

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/23 8:30 p.m.5 views

GHSA-F35R-V9X5-R8MC New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References4
CVE
CVE
added 2026/03/23 7:18 p.m.29 views

CVE-2026-30886

The CVE-2026-30886 entry describes an Insecure Direct Object Reference (IDOR) in the video proxy endpoint GET /v1/videos/:task_id/content of the New API LLM gateway/AI asset manager. Before version 0.11.4-alpha.2, any authenticated user could access video content owned by others due to a missing ...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/23 7:18 p.m.23 views

CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS0.00274EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/23 7:18 p.m.10 views

CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/23 7:18 p.m.4 views

CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/23 7:18 p.m.3 views

CVE-2026-30886 New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

6.5CVSS6.4AI score0.00274EPSS
Exploits1References4
OSV
OSV
added 2026/03/23 7:16 p.m.4 views

UBUNTU-CVE-2026-26209

cbor2 provides encoding and decoding for the Concise Binary Object Representation CBOR serialization format. Versions prior to 5.9.0 are vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the...

7.5CVSS5.8AI score0.00417EPSS
Exploits1References6
OSV
OSV
added 2026/03/23 6:16 p.m.3 views

GO-2026-4778 Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju

Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju...

6.6CVSS5.8AI score0.00269EPSS
Exploits1References3
OSV
OSV
added 2026/03/23 6:16 p.m.3 views

GO-2026-4797 Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments in code.vikunja.io/api...

5.3CVSS5.8AI score0.00254EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/03/23 6:13 p.m.4 views

WordPress REST API TO MiniProgram plugin <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference via 'userid' REST API Parameter vulnerability discovered by WordFence in WordPress Plugin REST API TO MiniProgram versions = 5.1.2...

5.3CVSS5.8AI score0.00324EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/03/23 3:30 p.m.6 views

EUVD-2026-14435

A flaw was found in the GNU Binutils BFD library, a widely used component for handling binary files such as object files and executables. The issue occurs when processing specially crafted XCOFF object files, where a relocation type value is not properly validated before being used. This can caus...

6.1CVSS5.7AI score0.00162EPSS
Exploits0References4
Rows per page
Query Builder