122107 matches found
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the path key in blobs.yaml. An attacker can write arbitrary files and exfiltrate sensitive information by supplying crafted input that causes traversal outside the intended directory. Details A Directory Traversa...
CVE-2026-13450 GamiPress <= 7.9.4 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'access' Parameter
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...
EUVD-2026-42540
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...
CVE-2026-13450
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...
CVE-2026-13450
The CVE describes a vulnerability in the GamiPress WordPress plugin (versions up to 7.9.4) where Insecure Direct Object Reference is triggered via the access parameter due to missing validation on a user-controlled key. This allows unauthenticated attackers to view private GamiPress activity log ...
CVE-2026-12517 Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Site Info Endpoint
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users the gating nonce is exposed on public pages carrying an embed to make the site request...
JetBrains YouTrack < 2026.2.16593 Multiple Vulnerabilities
The version of JetBrains YouTrack installed on the remote host is prior to 2026.2.16593. It is, therefore, affected by multiple vulnerabilities, including: - The websandbox bridge was vulnerable to a prototype pollution attack. CVE-2026-57926 - Improper access control allowed reading users' priva...
PT-2026-56830
Name of the Vulnerable Software and Affected Versions Open WebUI versions 0.9.0 through 0.9.x Description The execute automation function rehydrated automation owners without verifying if they remained active or retained features.automations permissions. Additionally, the check model access...
PT-2026-57010
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.1 Description The '/api/storage/getCriteria' endpoint returns saved search criteria from the data/storage/criteria.json file without applying the publish-access filtering used by other storage endpoints. This allow...
GitLab 9.1 < 18.11.7 / 19.0 < 19.0.4 / 19.1 < 19.1.2 (CVE-2026-7492)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an...
CVE-2026-7492
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls...
CVE-2026-8472
GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to...
CVE-2026-7492 Missing Authorization in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls...
CVE-2026-7492
GitLab CE/EE vulnerable in all versions before patch levels: 18.11.7 for 9.1–18.11.x, 19.0.4 for 19.0.x, and 19.1.2 for 19.1.x. The issue allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls on cross‑project reference pages. Impact...
EUVD-2026-42406
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an unauthenticated user to determine the existence of a private project due to improper authorization controls...
CVE-2026-8472
CVE-2026-8472 affects GitLab Enterprise Edition and reports a privilege/authorization issue where an authenticated user with minimal access could read work item metadata from private projects. The root cause is missing authorization checks, enabling unintended metadata access. Affected versions i...
CVE-2026-8472 Missing Authorization in GitLab
GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to...
EUVD-2026-42314
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails...
CVE-2026-59262 AFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails...
EUVD-2026-42298
repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers t...