22 matches found
CVE-2026-35461
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...
CVE-2026-35462
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...
CVE-2026-35461
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...
CVE-2026-35460
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected...
CVE-2026-35462 Papra Does Not Reject Expired API Keys
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...
CVE-2026-35462
Papra (document management/archiving platform) prior to version 26.4.0 does not validate API key expiresAt against current time during authentication, allowing expired keys to access protected endpoints as if valid. Affected: Papra before 26.4.0; Impact: potential unauthorized access with network...
CVE-2026-35462 Papra Does Not Reject Expired API Keys
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...
CVE-2026-35462
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...
CVE-2026-35461 Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...
CVE-2026-35461
Papra (vulnerable before 26.4.0) contains a Blind SSRF via its webhook system: authenticated users can register arbitrary webhook URLs without destination validation, causing the server to make outbound HTTP POSTs to those URLs—including localhost, internal ranges, and cloud provider metadata end...
EUVD-2026-19655
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...
CVE-2026-35461 Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...
CVE-2026-35461
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs,...
CVE-2026-35460 Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected...
CVE-2026-35460
Papra (document management platform) is affected by an HTML injection in transactional emails prior to version 26.4.0, where user.display name is interpolated into email HTML without escaping. An attacker registering with a display name containing HTML could inject tags into verification and pass...
CVE-2026-35460 Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected...
CVE-2026-35460
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected...
Papra 安全漏洞
Papra is an open-source document management and archiving platform developed by Papra itself. Versions of Papra prior to 26.4.0 contained security vulnerabilities. These vulnerabilities stemmed from transactional email templates that directly inserted user.name into HTML without escaping or...
PT-2026-30855
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expire...
Papra 代码问题漏洞
Papra is an open-source document management and archiving platform developed by Papra. Versions of Papra prior to 26.4.0 contained code vulnerabilities. These vulnerabilities stemmed from the lack of verification of API keys with an expiresAt date during authentication. As a result, any API key...