Lucene search
+L

154 matches found

NVD
NVD
added 2026/07/01 8:17 p.m.7 views

CVE-2026-54164

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an...

6.5CVSS0.00195EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/01 7:14 p.m.8 views

CVE-2026-54164

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an...

6.5CVSS5.7AI score0.00195EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/07/01 7:14 p.m.37 views

CVE-2026-54164 API Platform Core: Missing IRI type check enables resource type confusion

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an...

6.5CVSS0.00195EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 8:17 p.m.9 views

CVE-2026-44736

OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject title of work packages they have no permission to view — by supplying an arbitrary work package ID in the...

6.5CVSS0.00286EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 7:27 p.m.13 views

CVE-2026-44736

OpenProject vulnerability CVE-2026-44736 affects the OpenProject web-based project management platform. The flaw exists in the GET /api/v3/relations endpoint prior to version 17.4.0, allowing any authenticated user to retrieve relations and the titles of work packages they should not have permiss...

6.5CVSS5.9AI score0.00286EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 7:27 p.m.25 views

CVE-2026-44736 OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Package Subjects

OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject title of work packages they have no permission to view — by supplying an arbitrary work package ID in the...

6.5CVSS0.00286EPSS
Exploits0References1
OSV
OSV
added 2026/06/26 7:27 p.m.4 views

CVE-2026-44736 OpenProject: Relations API Filter Bypasses Visibility Scope, Leaking Cross-Project Work Package Subjects

OpenProject is open-source, web-based project management software. Prior to 17.4.0, the GET /api/v3/relations endpoint allows any authenticated user to retrieve relations — and the subject title of work packages they have no permission to view — by supplying an arbitrary work package ID in the...

6.5CVSS6.1AI score0.00286EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.11 views

PT-2026-52905

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.4.0 Description An issue in the RelationQuery performance optimization allows authenticated users to bypass the Relation.visible scope. By providing an arbitrary work package ID through the involved, fromId, or...

6.5CVSS5.9AI score0.00286EPSS
Exploits0References3
OSV
OSV
added 2026/06/19 9:42 p.m.11 views

GHSA-4VRG-R928-H5VV SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected

Impact Under concurrency, CheckPermission and CheckBulkPermissions can return PERMISSIONSHIPHASPERMISSION for a resource, permission, subject whose correct answer is PERMISSIONSHIPCONDITIONALPERMISSION. You are impacted if all of the following hold: 1. Your schema has a permission combining...

3.7CVSS5.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/19 9:42 p.m.13 views

SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected

Impact Under concurrency, CheckPermission and CheckBulkPermissions can return PERMISSIONSHIPHASPERMISSION for a resource, permission, subject whose correct answer is PERMISSIONSHIPCONDITIONALPERMISSION. You are impacted if all of the following hold: 1. Your schema has a permission combining...

5.8AI score
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/13 12:0 a.m.17 views

PT-2026-49086

Name of the Vulnerable Software and Affected Versions API Platform Core versions prior to 4.1.30 API Platform Core versions prior to 4.2.26 API Platform Core versions prior to 4.3.12 Description A type confusion issue exists in the serializer's AbstractItemNormalizer when resolving relation IRIs...

6.5CVSS5.8AI score0.00195EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/06/11 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-11852

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Debusine is an integrated solution to build, distribute and maintain a Debian-based distribution. Files managed by debusine are organized into artifacts. The...

6.5CVSS6.1AI score0.00199EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/09 4:0 a.m.8 views

CVE-2026-41007 Spring HATEOAS heap exhaustion through unbounded internal caching

Spring HATEOAS maintains an unbounded static cache of StringLinkRelation instances keyed on attacker-supplied strings. Affected versions: Spring HATEOAS 1.5.0 through 1.5.6; 2.3.0 through 2.3.4; 2.4.0 through 2.4.1; 2.5.0 through 2.5.2; 3.0.0 through 3.0.3...

7.5CVSS5.4AI score0.00299EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:19 p.m.10 views

CVE-2026-5943

Document structural anomalies caused inconsistencies between page element relationships and internal index states. When scripts triggered document modifications, object reference validity was not properly maintained, leading to a crash when accessing an invalid pointer during page information...

7.8CVSS7.2AI score0.00181EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.11 views

CVE-2026-27886

Strapi is an open source headless content management system. Strapi versions starting in 4.0.0 and prior to 5.37.0 did not sufficiently sanitize query parameters when filtering content via relational fields. An unauthenticated attacker could use the where query parameter on any publicly-accessibl...

9.2CVSS5.4AI score0.00612EPSS
Exploits5References1
Github Security Blog
Github Security Blog
added 2026/05/06 8:45 p.m.14 views

phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query

Summary The public /solutionidid.html route calls Faq::getIdFromSolutionId in phpmyfaq/src/phpMyFAQ/Faq.php:1312. That query joins faqdata with faqcategoryrelations solely by solutionid and returns the matching FAQ's id, lang, thema title, and categoryid with no permission filter. An...

8.7CVSS5.8AI score0.00259EPSS
Exploits0References4Affected Software2
NVD
NVD
added 2026/04/27 12:16 p.m.9 views

CVE-2026-5943

Document structural anomalies caused inconsistencies between page element relationships and internal index states. When scripts triggered document modifications, object reference validity was not properly maintained, leading to a crash when accessing an invalid pointer during page information...

7.8CVSS0.00181EPSS
Exploits0References1
CVE
CVE
added 2026/04/14 9:29 p.m.17 views

CVE-2026-34602

Chamilo LMS is affected by an IDOR in the /api/course_rel_users endpoint prior to version 2.0.0-RC.3. An authenticated attacker can modify the user parameter in the request body to enroll arbitrary users into courses without proper authorization checks, bypassing enrollment controls and potential...

7.1CVSS5.8AI score0.00203EPSS
Exploits0References5Affected Software1
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.9 views

Chamilo LMS 安全漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Versions of Chamilo LMS prior to 2.0.0-RC.3 contained security vulnerabilities. These vulnerabilities stemmed fr...

7.1CVSS5.8AI score0.00203EPSS
Exploits0References5
SUSE CVE
SUSE CVE
added 2026/03/28 12:24 a.m.7 views

SUSE CVE-2026-33676

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

6.5CVSS5.9AI score0.0033EPSS
Exploits1References3
Rows per page
Query Builder