Lucene search
K

95 matches found

OSV
OSV
added 2026/07/06 12:0 a.m.3 views

MAL-2026-10221 Malicious code in @flex-ng/error-component (npm)

The @flex-ng/error-component package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the...

6.1AI score
Exploits0References3
NVD
NVD
added 2026/07/02 1:17 p.m.9 views

CVE-2026-58653

PraisonAI before 0.1.7 fails to validate that projectid in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace...

5.3CVSS0.00158EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/02 12:34 p.m.9 views

CVE-2026-58653

PraisonAI before 0.1.7 fails to validate that projectid in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace...

5.3CVSS5.8AI score0.00158EPSS
Exploits0References3
CVE
CVE
added 2026/07/02 12:34 p.m.16 views

CVE-2026-58653

CVE-2026-58653 affects PraisonAI prior to 0.1.7, where issue creation/update does not validate that project_id matches the URL workspace. This allows an attacker to reference projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace co...

5.3CVSS5.8AI score0.00158EPSS
Exploits0References2
NVD
NVD
added 2026/06/26 8:17 p.m.5 views

CVE-2026-44732

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are...

4.3CVSS0.00201EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 7:39 p.m.23 views

CVE-2026-44732 OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "project_id" leads to Unauthorized Modification of Resources

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are...

4.3CVSS0.00201EPSS
Exploits0References1
OSV
OSV
added 2026/06/18 2:48 p.m.4 views

GHSA-2FJJ-QQG8-FG7X praisonai-platform: Authorization Bypass Through User-Controlled Key

Summary The issue create and update endpoints in praisonai-platform accept a projectid in the request body and persist it without validating that the project belongs to the URL workspace. A user who is a member of workspace WB and has no access to workspace WA can create issues that reference a...

4.3CVSS5.5AI score0.00158EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/09 9:2 p.m.34 views

CVE-2026-34417 OSCAL-GUI Reflected XSS via project parameter in oscal-forms.php

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to...

6.1CVSS0.00168EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/06 5:15 p.m.8 views

CVE-2026-11439

A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from...

6.5CVSS5AI score0.00214EPSS
Exploits0References7Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.10 views

CVE-2026-40214

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

6.3CVSS5.5AI score0.00206EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/29 8:13 p.m.14 views

CVE-2026-45297

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...

5.3CVSS5.8AI score0.00207EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 4:50 p.m.10 views

CVE-2026-45297

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...

5.3CVSS5.8AI score0.00207EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/28 4:50 p.m.3 views

CVE-2026-45297 Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...

5.3CVSS6AI score0.00207EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.15 views

PT-2026-44458

OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via project id case mismatch. ProjectAuthorizer. call OSS api/auth/auth project.py:14-38 and EE ee/api/auth/auth project.py:14-46 only runs projects.is...

5.3CVSS5.8AI score0.00207EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/08 12:31 a.m.12 views

OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

6.3CVSS5.8AI score0.00206EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/05/07 10:16 p.m.27 views

CVE-2026-40214

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

6.3CVSS0.00206EPSS
Exploits0References3
OSV
OSV
added 2026/05/07 10:16 p.m.4 views

UBUNTU-CVE-2026-40214

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

6.3CVSS5.8AI score0.00206EPSS
Exploits0References6
Debian CVE
Debian CVE
added 2026/05/07 12:0 a.m.6 views

CVE-2026-40214

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

6.3CVSS5.8AI score0.00206EPSS
Exploits0
Snyk
Snyk
added 2026/05/06 12:0 a.m.6 views

Empty Password in Configuration File

Overview org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Empty Password in Configuration File through the GoogleSecretManagerV1AccessStrategy in the...

7.5CVSS5.9AI score0.00435EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/04 10:30 p.m.6 views

CVE-2026-7782 CodeCanyon Perfex CRM Tenant Clients.php project authorization

A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be performed from...

6.5CVSS6.3AI score0.00211EPSS
Exploits0References4
Rows per page
Query Builder