3 matches found
CVE-2026-35594 Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication GetLinkShareFromClaims in pkg/models/linksharing.go constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner delet...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the lack of server-side validation in the GetLinkShareFromClaims process. An attacker can retain unauthorized access to resources by using previously issued JWT tokens even after a link share is...
Check Point Response to CVE-2025-3831 - Exposed SFTP server
Cause The agent used a shared SFTP key embedded in the software to upload diagnostic logs. The key was granted permission to read and list files on the server, rather than restricted to upload-only access. As a result, anyone possessing the key could access log files uploaded by other customers...