Exploit for Incorrect Authorization in Pydio Cells

CVE-2023-32749 | Pydio Cells Unauthorised Role Assignment Exp...

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

CVE-2025-62057

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.This issue affects Houzez Theme - Functionality: from n/a through 4.2.0...

PT-2024-36795 · Unknown · Onyxia-Api

Name of the Vulnerable Software and Affected Versions: Onyxia-API versions prior to 2.8.2 Onyxia-API versions prior to 3.1.1 Onyxia-API versions prior to 4.2.0 Description: This issue allows authenticated users to remotely execute code within the Onyxia-API, potentially leading to unauthorized...

GHSA-GG42-MWR6-P82C Mattermost Server has intermittent Authorization bypass for resource-owners

An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and 4.0.5, when used as an OAuth 2.0 service provider. Resource-owner authorization can be intermittently bypassed, allowing account takeover...

Subrion CMS Cross-Site Request Forgery Vulnerability

Subrion CMS is a PHP-based content management system CMS developed by the Subrion team. The system can be integrated into a website and supports a variety of extensions plug-ins and more. A cross-site request forgery vulnerability exists in Subrion CMS versions prior to 4.2.0 that stems from a...