Lucene search
K

52 matches found

CVE
CVE
added yesterday14 views

CVE-2026-56336

Capgo before 12.128.2 contains an information-disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal org_id and provider_id values. Attackers can enumerate email domains to map domains to organization UUIDs and SSO provider identifiers, enabling r...

6.9CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added yesterday7 views

EUVD-2026-43232

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /private/sso/check-domain endpoint that returns internal orgid and providerid values. Attackers can enumerate email domains to build mappings of domains to organization UUIDs and SSO provider identifiers...

6.9CVSS6.1AI score
Exploits0References2
NVD
NVD
added 2026/06/26 1:16 p.m.7 views

CVE-2026-57920

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/orgId endpoints...

7.7CVSS0.0022EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 12:20 p.m.5 views

CVE-2026-57920

Peplink InControl 2 through 2.14.2 before 2026-06-03 allows use of a semicolon to bypass access-control rules for certain /rest/o/orgId endpoints...

7.7CVSS5.8AI score0.0022EPSS
Exploits1References2
CVE
CVE
added 2026/06/26 12:20 p.m.21 views

CVE-2026-57920

Peplink InControl 2 (affected versions 2 through 2.14.2, before 2026-06-03) is vulnerable to a access-control bypass via a semicolon in requests to certain /rest/o/{orgId} endpoints. The available documents confirm the vulnerability and affected product but do not provide exploitation steps or a ...

7.7CVSS5.8AI score0.0022EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.14 views

PT-2026-52699

Name of the Vulnerable Software and Affected Versions Peplink InControl 2 versions 2 through 2.14.2 Description An access control bypass exists in certain /rest/o/orgId endpoints. This issue allows the use of a semicolon to circumvent established access-control rules. Recommendations Update Pepli...

7.7CVSS5.9AI score0.0022EPSS
Exploits1References6
NVD
NVD
added 2026/06/25 8:17 p.m.5 views

CVE-2026-57521

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers...

5.3CVSS0.00248EPSS
Exploits1References5
NVD
NVD
added 2026/06/24 1:16 p.m.10 views

CVE-2026-56270

Flowise before 3.1.0 versions 3.0.13 and earlier contains a missing authentication vulnerability in the /api/v1/loginmethod endpoint that allows unauthenticated users to retrieve an organization's complete SSO configuration, including OAuth client secrets in cleartext, by providing an...

8.7CVSS0.00383EPSS
Exploits1References2
CVE
CVE
added 2026/06/23 6:7 p.m.21 views

CVE-2026-54324

CVE-2026-54324 affects Daytona API service (NestJS) used in Daytona’s notification WebSocket gateway. The cross-tenant flaw allowed any authenticated user to join another organization’s realtime channel by binding a client-supplied organization ID to the corresponding room without verifying membe...

6.5CVSS6.3AI score0.00275EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 6:7 p.m.40 views

CVE-2026-54324 Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join

Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, a cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification...

6.5CVSS0.00275EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.9 views

PT-2026-51410

Name of the Vulnerable Software and Affected Versions Capgo backend Supabase edge functions versions prior to 12.128.2 Description Inconsistent authentication enforcement exists across HTTP methods. The global authentication middleware is not applied to the 'GET /private/role bindings/:org id'...

6.9CVSS5.8AI score0.00322EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.17 views

PT-2026-50595

Name of the Vulnerable Software and Affected Versions Daytona versions 0.101.0 through 0.184.0 Description A cross-tenant authorization flaw exists in the notification WebSocket gateway of the Daytona API service apps/api NestJS application. The JWT handshake joins a client-supplied organization...

6.5CVSS5.8AI score0.00275EPSS
Exploits0References7
NVD
NVD
added 2026/05/29 6:17 p.m.17 views

CVE-2026-43917

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's...

5.3CVSS0.00225EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 4:40 p.m.26 views

CVE-2026-43917

CVE-2026-43917 (Dokploy) describes an IDOR due to a missing organization scoping check in the protectedProcedure middleware prior to 0.19.0. The middleware only validates authentication, not that the resource’s organization matches the session’s activeOrganizationId, enabling cross-organization a...

5.3CVSS5.8AI score0.00225EPSS
Exploits0References1
OSV
OSV
added 2026/04/21 12:4 p.m.4 views

BIT-GRAFANA-2026-21727 Grafana Correlations: Cross-Tenant Data Disclosure and Permanent Deletion via Legacy org_id=0 Record

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: " Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvssscore: "3.3" cvssvector:...

3.3CVSS5.7AI score0.00204EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/20 12:0 a.m.10 views

SuperAGI 安全漏洞

SuperAGI is an open-source infrastructure application developed by SuperAGI. It is used to build components, tools, frameworks, and models to achieve open-source AGI. Versions of SuperAGI 0.0.14 and earlier contain security vulnerabilities. These vulnerabilities stem from improper handling of the...

5.5CVSS6AI score0.003EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/15 8:23 p.m.12 views

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the Correlations feature due to a backward compatibility condition that allows records with orgid=0 to be accessed across organizations. An attacker with datasource management...

3.8CVSS5.8AI score0.00204EPSS
Exploits0References2
Veeam
Veeam
added 2026/03/02 12:0 a.m.12 views

"4BDN: Connected Salesforce Org already exists"

Challenge When attempting to add a Salesforce sandbox to an on-premise installation of Veeam Backup for Salesforce , the following error occurs: 4BDN: Connected Salesforce Org already exists. Cause This occurs when the sandbox being added has the same name as a Salesforce sandbox that was...

6AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/02/09 9:31 p.m.12 views

Keycloak affected by improper invitation token validation

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

8.1CVSS5.5AI score0.00453EPSS
Exploits2References13Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/09 6:36 p.m.7 views

CVE-2026-1529

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token JWT payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an...

8.1CVSS5.2AI score0.00453EPSS
Exploits2References3
Rows per page
Query Builder