GHSA-48M6-CH88-55MJ Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association

Summary An improper mass assignment JSON injection vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata,...

GHSA-VP22-38M5-R39R PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code

Summary The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. The blocklist implemented in PluginSecurity.validateplugincode is incomplete and can be bypassed using several Python constructs that are not checked. An...

SailPoint IdentityIQ 安全漏洞

SailPoint IdentityIQ is a security software developed by SailPoint Corporation. It provides credit monitoring, identity protection, and antivirus features. There are security vulnerabilities in versions of SailPoint IdentityIQ prior to version 8.5p2, 8.4, and 8.4p4. These vulnerabilities stem fro...

Vulnerabilities fixed in SAP products

SAP has fixed vulnerabilities in several SAP products, including SAP Supplier Relationship Management, SAP BusinessObjects Business Intelligence Platform, SAP NetWeaver Application Server Java and ABAP, SAP Landscape Transformation, SAP Business Planning and Consolidation, SAP Business Warehouse,...

CVE-2026-24318

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued toke...

CVE-2026-27683

SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact...

EUVD-2026-22148

Due to missing authorization checks in the SAP S/4HANA OData Service Manage Technical Object Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and...

EUVD-2026-22140

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued toke...

CVE-2026-24318

The CVE concerns SAP Business Objects BI Platform. An insecure session management flaw could allow an unauthenticated attacker to obtain valid session tokens and reuse them to access or modify data within a victim’s session scope, impacting confidentiality and integrity (availability unchanged). ...

CVE-2026-24318

Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued toke...

SAP Business Objects Business Intelligence Platform 安全漏洞

SAP Business Objects Business Intelligence Platform is a set of business intelligence software and enterprise performance solutions provided by the German company SAP. This product includes features such as report generation, analysis, and data visualization. There is a security vulnerability in...

SAP BusinessObjects Business Intelligence 跨站脚本漏洞

SAP BusinessObjects Business Intelligence is a BI tool developed by the German company SAP. SAP BusinessObjects Business Intelligence has a cross-site scripting vulnerability. This vulnerability stems from allowing authenticated attackers to inject malicious JavaScript payloads through a speciall...

[SECURITY] Fedora 44 Update: kstars-3.8.0-6.fc44

KStars is a Desktop Planetarium. It provides an accurate graphical simulation of the night sky, from any location on Earth, at any date and time. The display includes up to 100 million stars, 13,000 deep-sky objects, all 8 planets, the Sun and Moon, and thousands of comets and asteroids...

CVE-2026-40044 Pachno 1.0.6 FileCache Deserialization Remote Code Execution

Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory,...

Missing Authorization

Django is vulnerable to Missing Authorization. The vulnerability is due to missing validation of add permissions for inline model instances in GenericInlineModelAdmin, which allows an attacker to submit forged POST data and create unauthorized objects...

GHSA-9GJV-JVM7-VV2V Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users

Summary Users with the Guest role could receive private sub-object data e.g. private alternate names, private addresses, private note/citation/media handles through list API endpoints such as GET /api/people/, GET /api/places/, GET /api/events/, and all other object list endpoints. This does not...

Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users

Summary Users with the Guest role could receive private sub-object data e.g. private alternate names, private addresses, private note/citation/media handles through list API endpoints such as GET /api/people/, GET /api/places/, GET /api/events/, and all other object list endpoints. This does not...

Information Exposure

Overview gramps-webapi is an A RESTful web API for the Gramps genealogical database. Affected versions of this package are vulnerable to Information Exposure in the iter process. An attacker can access private sub-object data attached to otherwise-public objects by querying list API endpoints as ...

CVE-2026-34217

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to...

Google Chrome 资源管理错误漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 147.0.7727.55 contained a resource management vulnerability. This vulnerability stemmed from the reuse of Media objects after their release, which could allow arbitrary code to be executed within a sandbox...