SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected

Impact Under concurrency, CheckPermission and CheckBulkPermissions can return PERMISSIONSHIPHASPERMISSION for a resource, permission, subject whose correct answer is PERMISSIONSHIPCONDITIONALPERMISSION. You are impacted if all of the following hold: 1. Your schema has a permission combining...

GHSA-4VRG-R928-H5VV SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected

Impact Under concurrency, CheckPermission and CheckBulkPermissions can return PERMISSIONSHIPHASPERMISSION for a resource, permission, subject whose correct answer is PERMISSIONSHIPCONDITIONALPERMISSION. You are impacted if all of the following hold: 1. Your schema has a permission combining...

PT-2026-49086

🔒 Security patch out for API Platform Core CVE-2026-54164: a type-confusion bug let writable relations accept a wrong-type IRI. Upgrade to 4.1.30 / 4.2.26 / 4.3.12+. Details: https://t.co/zRkVBEfHqh...

Linux Distros Unpatched Vulnerability : CVE-2026-11852

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The...

CVE-2026-41007 Spring HATEOAS heap exhaustion through unbounded internal caching

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3...

CVE-2026-5943

Document structural anomalies caused inconsistencies between page element relationships and internal index states. When scripts triggered document modifications, object reference validity was not properly maintained, leading to a crash when accessing an invalid pointer during page information...

CVE-2026-27886

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...

phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query

Summary The public /solutionidid.html route calls Faq::getIdFromSolutionId in phpmyfaq/src/phpMyFAQ/Faq.php:1312. That query joins faqdata with faqcategoryrelations solely by solutionid and returns the matching FAQ's id, lang, thema title, and categoryid with no permission filter. An...

CVE-2026-5943

Document structural anomalies caused inconsistencies between page element relationships and internal index states. When scripts triggered document modifications, object reference validity was not properly maintained, leading to a crash when accessing an invalid pointer during page information...

CVE-2026-34602

Chamilo LMS is affected by an IDOR in the /api/course_rel_users endpoint prior to version 2.0.0-RC.3. An authenticated attacker can modify the user parameter in the request body to enroll arbitrary users into courses without proper authorization checks, bypassing enrollment controls and potential...

Chamilo LMS 安全漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Versions of Chamilo LMS prior to 2.0.0-RC.3 contained security vulnerabilities. These vulnerabilities stemmed fr...

SUSE CVE-2026-33676

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

CVE-2026-33729 OpenFGA has an Authorization Bypass through cached keys

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the addRelatedTasksToTasks function. An attacker can obtain unauthorized access to sensitive task metadata from projects they do not have permission to view by reading tasks that have cross-project relations...

CVE-2026-33676

Summary: Vikunja, an open-source self-hosted task manager, has a cross-project information disclosure in its API. Before 2.2.1, when returning tasks, the API fills the related_tasks field with full task objects for all related tasks without verifying the requester’s read permission on those proje...

CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

From Threat Intelligence to Firewall Rules: Semantic Relations in Hybrid AI Agent and Expert System Architectures

Web security demands rapid response capabilities to evolving cyber threats. Agentic Artificial Intelligence AI promises automation, but the need for trustworthy security responses is of the utmost importance. This work investigates the role of semantic relations in extracting information for...

EUVD-2026-5711

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers such as boardId, cardId, swimlaneId, and listId are consistent and refer to a coherent card/board relationship, enabling attempts to upload...