260 matches found
CVE-2026-33323
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided...
MAL-2026-2058 Malicious code in @emilgroup/public-api-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49b32ec5041ad00c8a07401245056cc069fd80826da4c73121803ffc3a705119 The package @emilgroup/public-api-sdk was found to contain malicious code. Source: ghsa-malware...
EUVD-2026-14170
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...
CVE-2026-3645
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...
CVE-2026-3645 Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...
PT-2026-26864
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save config function, which handles the 'punnel save config' AJAX action, lacks any capability check current user can and nonce verification. This makes i...
PT-2026-26482
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.51 Parse Server versions prior to 9.6.0-alpha.40 Description Parse Server contains a flaw where the Pages route and legacy PublicAPI route for resending email verification links reveal different responses bas...
ALPINE-CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2sessionterminatesession or nghttp2sessionterminatesession2 is called by the application. They might be...
CVE-2026-31891
Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...
PT-2026-25975
Name of the Vulnerable Software and Affected Versions Cockpit versions 2.13.4 and earlier Description Cockpit is a headless content management system. Instances running version 2.13.4 or earlier with API access enabled are susceptible to a SQL Injection issue in the MongoLite Aggregation Optimize...
GO-2026-4659 FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info in github.com/gtsteffaniak/filebrowser/backend
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info in github.com/gtsteffaniak/filebrowser/backend...
EUVD-2026-10544
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...
CVE-2026-30933 FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...
CVE-2026-30933 FileBrowser Quantum Incomplete Remediation of CVE-2026-27611: Password-Protected Share Bypass via /public/api/share/info
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and...
CVE-2026-30933
CVE-2026-30933 (FileBrowser Quantum) affects FileBrowser Quantum prior to the fixed releases 1.3.1-beta and 1.2.2-stable. The issue relates to an incomplete remediation for CVE-2026-27611, where password-protected shares still disclose a tokenized downloadURL via /public/api/share/info. The Red H...
Client-Side Enforcement of Server-Side Security
Overview Affected versions of this package are vulnerable to Client-Side Enforcement of Server-Side Security via the shareInfoHandler process. An attacker can gain unauthorized access to confidential shared files by querying the public API endpoint and extracting tokenized download URLs, which...
FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info
Summary The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2. Details The issue stems from two flaws: 1. Tokenized download URLs are written into the...
CVE-2026-0746
The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'getaudio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...
CVE-2026-0746 AI Engine <= 3.3.2 - Authenticated (Subscriber+) Server-Side Request Forgery
The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'getaudio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...
CVE-2026-0746
The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the 'getaudio' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...