193 matches found
CVE-2026-12529
A security vulnerability has been detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. Affected is an unknown function of the file /index.php of the component Student Self-Registration Endpoint. The manipulation leads to improper access controls. Remote...
EUVD-2026-37780
A security vulnerability has been detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. Affected is an unknown function of the file /index.php of the component Student Self-Registration Endpoint. The manipulation leads to improper access controls. Remote...
PT-2026-50526
Name of the Vulnerable Software and Affected Versions SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0 Description Improper access controls exist within the Student Self-Registration Endpoint in the /index.php file. This flaw allows for remote exploitation,...
CVE-2026-53912
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, a...
CVE-2026-53912 Cerebrate self-registration password hash exposure via inbox and audit log views
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, a...
EUVD-2026-36220
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, a...
CVE-2026-53912 Cerebrate self-registration password hash exposure via inbox and audit log views
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, a...
CVE-2026-53912
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored registrant password hashes in the inbox message payload, which were returned unredacted through inbox index/view responses (HTML/JSON/CSV) and could be written unredact...
PT-2026-48649
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, a...
Cerebrate 信息泄露漏洞
Cerebrate is an open-source platform developed by Cerebrate. It aims to act as an interconnected coordinator for trusted contact information providers and other security tools. Prior to version 1.37 of Cerebrate, there was a vulnerability involving information leakage, which stemmed from exposing...
CVE-2026-39336
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting issue affects the Directory Reports form fields set from config, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-adm...
CVE-2026-42613
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enabled and groups or access are included in the...
CVE-2026-41949 Dify < 1.14.2 Authorization Bypass via File Preview Endpoint
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...
CVE-2026-41949 Dify < 1.14.2 Authorization Bypass via File Preview Endpoint
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...
CVE-2026-41948
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...
EUVD-2026-30771
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...
CVE-2026-41948
Dify v1.14.1 (and prior) is affected by a path traversal vulnerability in the Plugin Daemon internal API caused by insufficient URL path sanitization. authenticated users can traverse outside their tenant path using unencoded dot sequences in task IDs or manipulated filename parameters to reach i...
EUVD-2026-30772
Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints...
CVE-2026-41947
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to...
PT-2026-41676
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...