CVE-2026-40592

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route GET /conversation/undo-reply/threadid checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a...

GHSA-G8RR-7RJ2-F627 praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}

Summary Type: Authorization bypass enabling destructive action. The DELETE /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project,...

PT-2026-45485

Summary Type: Authorization bypass enabling destructive action. The DELETE /workspaces/workspace id endpoint is gated only by require workspace memberworkspace id default min role="member". Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project...

Gogs has authorization bypass in repository deletion API

Summary The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access including read-only collaborators can delete the entire repository. This vulnerability stems from the API route configuration only utilizing the...

CVE-2025-65033

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not...