CVE-2026-47279

NocoDB's CVE-2026-47279 describes an Access Control problem in public shared-view relation endpoints (LTAR columns). Before patch 2026.05.1, endpoints accepted a caller-supplied column ID without verifying the column’s visibility, allowing anyone with a share UUID to read links from hidden LTAR c...

CVE-2026-47279 NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on t...

EUVD-2026-36542

parse-server: Relation $relatedTo query bypasses protectedFields and owning-object ACL...

MINI-3PJH-MR2Q-G7VR

Bulletin has no description...

MINI-JQ4R-PFH9-QVRM

Bulletin has no description...

CVE-2026-53726

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting clie...

CVE-2026-11852

Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The endpoints that create and delete relationships between artifacts enforced no permissions checks beyond being able to see the artifacts in...

CVE-2026-41007

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3...

CVE-2026-41007

Technical details are not publicly available in the provided documents. Monitor for updates.

EUVD-2026-35346

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3...

PT-2026-47645

Name of the Vulnerable Software and Affected Versions Spring HATEOAS versions 1.5.0 through 1.5.6 Spring HATEOAS versions 2.3.0 through 2.3.4 Spring HATEOAS versions 2.4.0 through 2.4.1 Spring HATEOAS versions 2.5.0 through 2.5.2 Spring HATEOAS versions 3.0.0 through 3.0.3 Description Spring...

CVE-2026-46295

In the Linux kernel KVM for x86, CVE-2026-46295 stems from a race between vmx_sync_pir_to_irr() on the target vCPU and __vmx_deliver_posted_interrupt() on a sender vCPU. The sequence of operations (pi_test_and_set_pir, then pi_test_and_set_on) can interleave such that the second sync reports max_...

MINI-X759-M9VF-GQ8G

Bulletin has no description...

CVE-2026-34602

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/courserelusers endpoint is vulnerable to Insecure Direct Object Reference IDOR, allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into...

Access Control Bypass

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Access Control Bypass via the publicMmList, publicHmList, relDataList, and nested endpoints when the show flag for a column is not properly checked. An attacker can access hidden linked records by supplying a valid...

GHSA-9WGH-M22W-9XJ8 NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Summary The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. Details...

NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Summary The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. Details...

PT-2026-46992

Summary The public shared-view relation endpoints accepted a caller-supplied column ID without verifying that the column was visible in the shared view, so anyone holding a share UUID could read links from any LTAR column on the view's table — including columns the view owner had hidden. Details...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via unbounded caching of StringLinkRelation instances. An attacker can cause denial of service by supplying a large number of unique link relation values, causing the static cache to...

CVE-2026-45810

A flaw was found in Nextcloud Server. An authenticated user with access to any file comment could exploit a missing relation check. This vulnerability allows the user to read the content of all comments within the system, leading to information disclosure. Mitigation Mitigation for this issue is...