724 matches found
CVE-2026-13250
The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete all...
CVE-2026-42172 Coolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474...
CVE-2026-42172 Coolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474...
CVE-2026-42172
CVE-2026-42172 affects Coolify prior to version 4.0.0-beta.474, where Sanctum API tokens did not expire. The underlying issue allowed a leaked token to retain access indefinitely until manually revoked. The vulnerability is resolved in 4.0.0-beta.474.
MAL-2026-6845 Malicious code in lint-nuler (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3f9e0e240b15ecbe934992f121b12fa84d736e4432e20346c7860941517acaf2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization in the workflow approval process. An attacker can gain unauthorized access to protected resources or perform privileged actions by bypassing the intended approval gate through manipulation of permanent fork pull...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization in the workflow approval process. An attacker can gain unauthorized access to protected resources or perform privileged actions by bypassing the intended approval gate through manipulation of permanent fork pull...
CVE-2026-58424
Permanent Fork PR Workflow Approval Gate Bypass...
CVE-2026-58424
Permanent Fork PR Workflow Approval Gate Bypass...
CVE-2026-58424
Technical details about CVE-2026-58424 are not publicly available in the provided documents. No product, vector, or impact specifics are included. Monitor for updates in official advisories.
CVE-2026-58424 Permanent Fork PR Workflow Approval Gate Bypass
Permanent Fork PR Workflow Approval Gate Bypass...
PT-2026-55657
Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A flaw exists that allows for a permanent fork pull request workflow approval gate bypass. This issue enables an attacker to circumvent the required approval...
CVE-2026-50132
Budibase is an open-source low-code platform. Prior to 3.39.0, GET /api/chat-links/:instance/:token/handoff is a public endpoint no auth required that performs a permanent, state-changing operation: it binds an external chat identity Slack/Discord/MS Teams to an authenticated Budibase user accoun...
CVE-2026-8380
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugi...
CVE-2026-8380
The CVE-2026-8380 issue affects the Frontend File Manager (nmedia-user-file-uploader) WordPress plugin
GHSA-V2WP-FRMC-5Q3V Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise
Lemur 1.9.0: any SSO-authenticated user achieves AWS IAM compromise and permanent PKI key access via ACME acmeurl SSRF and creator-equality IDOR Vulnerability Summary Field | Value -- | -- Title | Lemur 1.9.0: any SSO-authenticated user achieves AWS IAM compromise and permanent PKI key access via...
CVE-2026-55762 Rocket.Chat: Any Authenticated User Can Permanently Deregister Workspace from Rocket.Chat Cloud via Unprotected `/api/v1/fingerprint` Endpoint
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication authRequired: true but performs no authorization check. Any authenticated user —...
GHSA-CMWH-PVXP-8882 DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)
Summary DOMPurify 3.4.7 shipped a security fix "permanent hook pollution" that makes a registered uponSanitizeAttribute hook's mutation of data.allowedAttributes non-persistent — so allowing an attribute for one element does not leak into later sanitize calls. The fix clones ALLOWEDATTR inside...
Malicious code in express-self-destruct (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817 On npm install, the package's postinstall hook node scripts/inject.js walks up from the install directory to locate the consumer's project root and...
CVE-2026-0067
In multiple functions of ubsanthrowingruntime.cpp, there is a possible way to cause a permanent denial of service due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...