Lucene search
K

48 matches found

NVD
NVD
added yesterday6 views

CVE-2026-59709

Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove...

5.3CVSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/01 4:39 p.m.30 views

CVE-2026-45157 Nextcloud: Valid share tokens allow to access tempory upload files of share owner

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see...

6.3CVSS0.00231EPSS
Exploits0References3
CVE
CVE
added 2026/06/01 4:39 p.m.19 views

CVE-2026-45157

CVE-2026-45157 affects Nextcloud Server: versions 32.0.0 up to but not including 32.0.9, and 33.0.0 up to but not including 33.0.3. A user with access to another user’s file share can use the share token to access the share’s chunking upload process and view temporary part files during ongoing up...

6.3CVSS5.7AI score0.00231EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/01 4:39 p.m.9 views

CVE-2026-45157 Nextcloud: Valid share tokens allow to access tempory upload files of share owner

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, when a malicious user has access to a file share of a user, they could use this share token to also access the chunking upload directly and see...

6.3CVSS5.7AI score0.00231EPSS
Exploits0References3
Nextcloud
Nextcloud
added 2026/05/12 9:12 a.m.18 views

Valid share tokens allow to access tempory upload files of share owner

None...

6.3CVSS5.8AI score0.00231EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/10 3:55 p.m.12 views

CVE-2026-35594

CVE-2026-35594 affects Vikunja prior to version 2.3.0, where link-share JWTs were validated entirely from JWT claims without server-side checks. The GetLinkShareFromClaims path builds a LinkSharing object without database validation, allowing previously issued link-share JWTs to retain their orig...

6.5CVSS5.7AI score0.00268EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/10 3:31 p.m.3 views

GHSA-96Q5-XM3P-7M84 Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade

Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or...

6.5CVSS5.8AI score0.00268EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.6 views

PT-2026-31945

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.3.0 Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without server-side database validation. When a project owner deletes a link share or downgrades its...

6.5CVSS5.7AI score0.00268EPSS
Exploits1References10
Snyk
Snyk
added 2026/04/01 8:58 p.m.2 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the way the server’s middleware processes "Share Tokens." While these tokens are intended to grant temporary, restricted access to a single file, the BasicAuthMiddleware...

8.5CVSS5.9AI score0.00392EPSS
Exploits1References2
Snyk
Snyk
added 2026/04/01 8:58 p.m.7 views

Authentication Bypass Using an Alternate Path or Channel

Overview Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel in the way the server’s middleware processes "Share Tokens." While these tokens are intended to grant temporary, restricted access to a single file, the BasicAuthMiddleware...

8.5CVSS5.9AI score0.00392EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/02/26 8:0 p.m.11 views

Terraform Provider for Linode Debug Logs Vulnerable to Sensitive Information Exposure

Impact The Terraform Provider for Linode versions prior to v3.9.0 logged sensitive information including some passwords, StackScript content, object storage data, and NodeBalancer TLS keys in debug logs without redaction. Important: Provider debug logging is not enabled by default. This issue is...

7.7CVSS5.6AI score0.00469EPSS
Exploits0References7Affected Software3
RedhatCVE
RedhatCVE
added 2026/01/03 5:1 p.m.12 views

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

5CVSS6.9AI score0.00274EPSS
Exploits1References1
OSV
OSV
added 2026/01/02 5:16 p.m.3 views

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

4.3CVSS5.8AI score0.00537EPSS
Exploits1References1
NVD
NVD
added 2026/01/02 5:16 p.m.5 views

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

5CVSS0.00274EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/01/02 4:55 p.m.29 views

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

5CVSS0.00274EPSS
Exploits1References1
CVE
CVE
added 2026/01/02 4:55 p.m.15 views

CVE-2025-69417

PVE-2025-69417 affects Plex Media Server (PMS) prior to latest updates. The issue arises when a non-server device token can retrieve share tokens intended for unrelated access via the shared_servers endpoint, indicating an access-control weakness in PMS’s token handling. Public references in the ...

5CVSS6.5AI score0.00274EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/02 4:55 p.m.8 views

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

5CVSS6.5AI score0.00274EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/01/02 12:0 a.m.5 views

PT-2026-1111

Name of the Vulnerable Software and Affected Versions Plex Media Server versions prior to 2025-12-31 Description A non-server device token can retrieve share tokens via the shared servers endpoint. These share tokens are intended for unrelated access. Recommendations Update Plex Media Server to a...

8.5CVSS6.6AI score0.00537EPSS
Exploits1References5
Hacker One
Hacker One
added 2026/01/01 5:6 a.m.130 views

Nextcloud: Valid share tokens allow to access tempory upload files of share owner

A vulnerability was discovered that allowed access to temporary upload files of a share owner using valid share tokens...

6.3CVSS5.4AI score0.00231EPSS
Exploits0
EUVD
EUVD
added 2025/10/07 12:30 a.m.2 views

EUVD-2017-18274

Malware in sbrugna...

5.3CVSS5.3AI score0.01036EPSS
Exploits0References2
Rows per page
Query Builder