95 matches found
MAL-2026-10221 Malicious code in @flex-ng/error-component (npm)
The @flex-ng/error-component package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the...
CVE-2026-58653
PraisonAI before 0.1.7 fails to validate that projectid in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace...
CVE-2026-58653
PraisonAI before 0.1.7 fails to validate that projectid in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace...
CVE-2026-58653
CVE-2026-58653 affects PraisonAI prior to 0.1.7, where issue creation/update does not validate that project_id matches the URL workspace. This allows an attacker to reference projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace co...
CVE-2026-44732
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are...
CVE-2026-44732 OpenProject: IDOR on OpenProject through /api/v3/documents/{id} via PATCH parameter "project_id" leads to Unauthorized Modification of Resources
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are...
GHSA-2FJJ-QQG8-FG7X praisonai-platform: Authorization Bypass Through User-Controlled Key
Summary The issue create and update endpoints in praisonai-platform accept a projectid in the request body and persist it without validating that the project belongs to the URL workspace. A user who is a member of workspace WB and has no access to workspace WA can create issues that reference a...
CVE-2026-34417 OSCAL-GUI Reflected XSS via project parameter in oscal-forms.php
OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to...
CVE-2026-11439
A vulnerability was found in theonedev onedev up to 15.0.5. Affected by this issue is some unknown functionality of the file /projects/ of the component Parent Project Handler. The manipulation of the argument project.parentId results in improper authorization. The attack may be performed from...
CVE-2026-40214
In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...
CVE-2026-45297
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...
CVE-2026-45297
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...
CVE-2026-45297 Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via projectid case mismatch. ProjectAuthorizer.call OSS api/auth/authproject.py:14-38 and EE ee/api/auth/authproject.py:14-46 only runs...
PT-2026-44458
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via project id case mismatch. ProjectAuthorizer. call OSS api/auth/auth project.py:14-38 and EE ee/api/auth/auth project.py:14-46 only runs projects.is...
OpenStack Cyborg's Accelerator Request (ARQ) API does not enforce project ownership at any layer
In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...
CVE-2026-40214
In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...
UBUNTU-CVE-2026-40214
In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...
CVE-2026-40214
In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...
Empty Password in Configuration File
Overview org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Empty Password in Configuration File through the GoogleSecretManagerV1AccessStrategy in the...
CVE-2026-7782 CodeCanyon Perfex CRM Tenant Clients.php project authorization
A vulnerability was detected in CodeCanyon Perfex CRM up to 3.4.1. This affects the function Clients::project of the file application/controllers/Clients.php of the component Tenant Handler. The manipulation of the argument ID results in authorization bypass. The attack may be performed from...