CVE-2026-28685

CVE-2026-28685 : Kimai’s API endpoint GET /api/invoices/{id} lacked customer-level access control. Before v2.51.0, the API checked only the role-based view_invoice permission, allowing any user with the ROLE_TEAMLEAD to read invoices for any customer, breaking data isolation. The Red Hat/NVD/NVD-...

GHSA-V33R-R6H2-8WR7 Kimai's API invoice endpoint missing customer-level access control (IDOR)

Summary GET /api/invoices/id only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read all invoices in the system, including those belonging to customers assigned to...

EUVD-2023-3250

Malicious code in bioql PyPI...

SA-CONTRIB-2014-037 - BlueMasters - Cross Site Scripting

Bluemasters is a responsive layout theme for Drupal 7. The Bluemasters theme does not properly sanitize theme settings before they are used in the output of a page. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes". CVE identifie...