48 matches found
CVE-2026-59709
Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...
CVE-2026-45157 Nextcloud: Valid share tokens allow to access tempory upload files of share owner
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see...
CVE-2026-45157
CVE-2026-45157 affects Nextcloud Server: versions 32.0.0 up to but not including 32.0.9, and 33.0.0 up to but not including 33.0.3. A user with access to another user’s file share can use the share token to access the share’s chunking upload process and view temporary part files during ongoing up...
CVE-2026-45157 Nextcloud: Valid share tokens allow to access tempory upload files of share owner
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see...
Valid share tokens allow to access tempory upload files of share owner
None...
CVE-2026-35594
CVE-2026-35594 affects Vikunja prior to version 2.3.0, where link-share JWTs were validated entirely from JWT claims without server-side checks. The GetLinkShareFromClaims path builds a LinkSharing object without database validation, allowing previously issued link-share JWTs to retain their orig...
GHSA-96Q5-XM3P-7M84 Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or...
PT-2026-31945
Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without server-side database validation. When a project owner deletes a link share or downgrades its...
Authentication Bypass Using an Alternate Path or Channel
Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the way the server’s middleware processes "Share Tokens." While these tokens are intended to grant temporary, restricted access to a single file, the BasicAuthMiddleware...
Authentication Bypass Using an Alternate Path or Channel
Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the way the server’s middleware processes "Share Tokens." While these tokens are intended to grant temporary, restricted access to a single file, the BasicAuthMiddleware...
Terraform Provider for Linode Debug Logs Vulnerable to Sensitive Information Exposure
Impact The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, object storage data, and NodeBalancer TLS keys in debug logs without redaction. Important: Provider debug logging is not enabled by default. This issue is...
CVE-2025-69417
In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...
CVE-2025-69417
In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...
CVE-2025-69417
In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...
CVE-2025-69417
In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...
CVE-2025-69417
PVE-2025-69417 affects Plex Media Server (PMS) prior to latest updates. The issue arises when a non-server device token can retrieve share tokens intended for unrelated access via the shared_servers endpoint, indicating an access-control weakness in PMS’s token handling. Public references in the ...
CVE-2025-69417
In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...
PT-2026-1111
Name of the Vulnerable Software and Affected Versions Plex Media Server versions prior to 2025-12-31 Description A non-server device token can retrieve share tokens via the shared servers endpoint. These share tokens are intended for unrelated access. Recommendations Update Plex Media Server to a...
Nextcloud: Valid share tokens allow to access tempory upload files of share owner
A vulnerability was discovered that allowed access to temporary upload files of a share owner using valid share tokens...
EUVD-2017-18274
Malware in sbrugna...