OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd

Summary An organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. Impact Full platform access, access to sensitive or proprietary information...

PYSEC-0000-CVE-2026-44730

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL o...

CVE-2026-44730

OpenCTI (open-source platform for threat intel) has a privilege-escalation vulnerability affecting the GraphQL API prior to version 6.9.7. An organization admin can elevate privileges by adding a user from a different organization with higher privileges to their own organization due to an incorre...

MINI-958X-FMVR-62X6

Bulletin has no description...

Context-Aware Entity-Relation Extraction for Threat Intelligence Knowledge Graphs

Cybersecurity Knowledge Graphs CKGs unify diverse Cyber Threat Intelligence CTI sources into structured, queryable formats, offering scalable solutions for automating proactive and real-time security responses. Their increasing adoption has significantly enhanced the workflow and decision-making...

ECHO-CD9F-8404-8DDC

Bulletin has no description...

MINI-P6C5-9FQ6-8QMF

Bulletin has no description...

MINI-GJ9M-VM85-XXWP

Bulletin has no description...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-django (UTSA-2026-016788)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016788 advisory. An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. .QuerySet.orderby is subject to SQL injection in column aliases containing...

ECHO-1C52-724C-58AD

Bulletin has no description...

GHSA-X83W-23JP-G6PW OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation

Description A flaw was identified in the OpenSearch Security plugin's document-level security DLS implementation. DLS restrictions were not correctly applied to search queries that use hasparent or haschild join relations. This could allow an authenticated user to access document contents that...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: btrfs: Fixed a memory leak in btrfsaddqgrouprelation, where the qgrouplist structure remains unleased after it is allocated by kzalloc. When btrfsaddqgrouprelation is called with invalid qgroup levels src = dst, the function...

PT-2026-34222

Name of the Vulnerable Software and Affected Versions OpenFGA versions prior to 1.14.1 Description In specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This may lead to the reuse of an earlier cached result fo...

EUVD-2026-22718

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/courserelusers endpoint is vulnerable to Insecure Direct Object Reference IDOR, allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into...

CVE-2026-34602 Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/courserelusers endpoint is vulnerable to Insecure Direct Object Reference IDOR, allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into...

MINI-JXGP-Q27H-F973

Bulletin has no description...

EUVD-2026-19734

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/conversationid/threadid does not require authentication and does not validate whether the given threadid belongs to the given conversationid. This allows any...

CVE-2026-34972

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. From 1.8.0 to 1.13.1, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper...

PT-2026-30732

Name of the Vulnerable Software and Affected Versions OpenFGA versions 1.8.0 through 1.13.1 Description OpenFGA is an authorization/permission engine. BatchCheck calls with multiple checks for the same object, relation, and user can lead to improper policy enforcement under specific conditions...

OpenFGA 安全漏洞

OpenFGA is an open-source tool built for developers, inspired by Google Zanzibar. It’s a high-performance and flexible authorization/licensing engine. Versions of OpenFGA from 1.8.0 to 1.13.1 have security vulnerabilities. These vulnerabilities arise from calls to the BatchCheck function under...