Lucene search
K

19 matches found

Github Security Blog
Github Security Blog
added 2026/06/05 9:44 p.m.13 views

Bugsink: Project scoping missing in sourcemap and debug-file lookup

Summary Bugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for...

4.3CVSS5.1AI score0.00178EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/05 9:43 p.m.5 views

GHSA-VX2F-6M6H-9FRF Bugsink: Issue event views can show an event from another project if its UUID is known

Description Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a logged-in user with access to one project can view anoth...

3.1CVSS5.3AI score0.00154EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/26 4:16 p.m.8 views

CVE-2026-47728

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use...

4.3CVSS5.8AI score0.00178EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/26 4:16 p.m.20 views

CVE-2026-47728

Bugsink (self-hosted error tracking) prior to 2.2.0 stores and looks up sourcemaps and debug files by debug ID without scoping to the owning project. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for ano...

4.3CVSS5.8AI score0.00178EPSS
Exploits0References2
NVD
NVD
added 2026/05/07 4:16 a.m.52 views

CVE-2026-40981

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...

7.5CVSS0.00435EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/07 3:55 a.m.75 views

CVE-2026-40981

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...

7.5CVSS0.00435EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/04 6:26 p.m.5 views

CVE-2026-42227 n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API...

6CVSS5.8AI score0.00203EPSS
Exploits0References1
CVE
CVE
added 2026/05/04 6:26 p.m.25 views

CVE-2026-42227

The CVE affects n8n (open source workflow automation) prior to versions 1.123.32, 2.17.4, and 2.18.1. An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying a projectId to the public API variables endpoint. The h...

6.5CVSS5.8AI score0.00203EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/03/24 8:16 p.m.3 views

CVE-2026-33345

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/org/projects/project allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index...

6.5CVSS0.00416EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/03/24 3:35 p.m.2 views

CVE-2026-33676

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

6.5CVSS5.8AI score0.0033EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.7 views

PT-2026-26751

Name of the Vulnerable Software and Affected Versions Vikunja affected versions not specified Description An authenticated user can access task comments without proper authorization checks. Specifically, an attacker can read any task comment by ID, even if they do not have access to the associate...

5.3CVSS5.9AI score0.00254EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2025/11/05 10:4 p.m.8 views

CVE-2025-62520

Mantis Bug Tracker MantisBT is an open source issue tracker. In versions 2.27.1 and below, due to insufficient access-level checks, any non-admin user with access to manageconfigcolumnspage.php can use the Copy From action to retrieve the columns configuration from a private project they have no...

5.3CVSS6.7AI score0.00241EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2021-17099

Malware in sbrugna...

7.5CVSS7.4AI score0.01158EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.11 views

EUVD-2025-6113

Malicious code in bioql PyPI...

4.2CVSS6.3AI score0.0022EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 2025/08/18 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2020-13303

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Due to improper verification of permissions, an unauthorized user can acces...

7.1CVSS6.4AI score0.01164EPSS
Exploits0References2
CVE
CVE
added 2025/03/06 8:31 a.m.80 views

CVE-2025-1540

GitLab CVE-2025-1540 affects GitLab CE/EE Self-Managed and Dedicated instances across all versions from 17.5 up to (but not including) 17.6.5, 17.7 up to 17.7.4, and 17.8 up to 17.8.2. The issue allows a user who is added as an External to read and clone internal projects under certain circumstan...

4.2CVSS6.7AI score0.0022EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2022/03/28 7:15 p.m.4 views

CVE-2022-0344

An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1. Private project paths can be disclosed to unauthorized users via system notes when an Issue is closed via a...

4.3CVSS5.3AI score0.01074EPSS
Exploits1References4Affected Software1
RedHat Linux
RedHat Linux
added 2018/08/22 4:24 p.m.8 views

openstack-keystone: Information Exposure through /v3/OS-FEDERATION/projects

A flaw was found in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is...

5.3CVSS5.8AI score0.01618EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2018/08/20 12:57 p.m.5 views

openstack-keystone: Information Exposure through /v3/OS-FEDERATION/projects

A flaw was found in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is...

5.3CVSS5.8AI score0.01618EPSS
Exploits0References4
Rows per page
Query Builder