Outline 安全漏洞

Outline is an open-source knowledge base developed by Outline. Versions 0.84.0 to 1.6.1 of Outline contain security vulnerabilities. These vulnerabilities stem from a logical error in the use of Array.some for verifying the OAuth scopes. As a result, if any single scope is valid, the entire scope...

CLSA-2026-1772812307 grafana: Fix of CVE-2026-21721

CVE-2026-21721: Fix dashboard permissions API; verify target dashboard scope and prevent users with permission-management rights on one dashboard from reading or modifying permissions on other dashboards...

grafana/grafana/pkg/services/dashboards: Grafana Dashboard Permissions Scope Bypass Enables Cross‑Dashboard Privilege Escalation

An authorization error has been discovered in Grafana dashboards. The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions ...

CVE-2026-23989

REVA (OpenCloud Reva component) contains a vulnerability in its GRPC authorization middleware that lets a malicious user bypass the public link scope verification via the archiver service, enabling creation of an archive (zip/tar) containing all resources within the link’s scope. Affected version...

Linux Distros Unpatched Vulnerability : CVE-2026-21721

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has...

Incorrect Authorization

Overview github.com/grafana/grafana/pkg/api is an open and composable observability and data visualization platform. Affected versions of this package are vulnerable to Incorrect Authorization via the dashboard permissions API. A user who has management write permissions can gain unauthorized...

CVE-2026-21721

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

CVE-2026-21721

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

CVE-2026-21721

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

CVE-2026-21721

The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions: action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege...

NRF security vulnerabilities

nrf is a network repository feature module developed by free5GC. Version 1.4.0 of nrf contains a security vulnerability. This vulnerability stems from theAccessTokenScopeCheck function, which bypasses all scope verifications when using a specially crafted targetNF value, potentially allowing acce...

CVE-2025-53003

The Janssen Project is an open-source identity and access management IAM platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts...

CVE-2025-53003 Janssen Config API returns results without scope verification

The Janssen Project is an open-source identity and access management IAM platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts...

CVE-2025-53003

The Janssen Project Config API was vulnerable before version 1.8.0 due to lack of scope verification, exposing information from the IDP (clients, users, scripts, etc.). The issue has been fixed in 1.8.0. A recommended workaround mentioned in the sources is to fork and patch the Config API followi...

CVE-2025-53003 Janssen Config API returns results without scope verification

The Janssen Project is an open-source identity and access management IAM platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts...