FUXA provides guest and invalid-token access to protected read APIs in secure mode

Summary When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints. Confirmed behavior: - guest...

CVE-2026-44374

CVE-2026-44374 affects Backstage when using the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed. Prior to version 0.6.11, these endpoints do not enforce permission checks, enabling any authenticated user to access unprocessed entity records regardless o...

Incorrect Authorization

Overview @backstage/plugin-catalog-backend-module-unprocessed is a Backstage Catalog module to view unprocessed entities Affected versions of this package are vulnerable to Incorrect Authorization in the unprocessed entities read endpoints. An attacker can gain unauthorized access to sensitive...

EUVD-2023-3198

Malicious code in bioql PyPI...

GHSA-FHR7-8JX4-R9CP Infinispan REST Server's bulk read endpoints do not properly evaluate user permissions

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions...

CVE-2023-3628

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions...