34 matches found
CVE-2026-52783
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth accesstoken plaintext to Rails.cache under the deterministic key storage..httpxaccesstoken, repopulated continuously by an...
PT-2026-52913
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description An Insecure Direct Object Reference IDOR exists in the project storage settings. A project administrator can gain unauthorized access to the managed Nextclou...
CVE-2026-47352 TYPO3 CMS - Broken Access Control in Backend API
Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46,...
PT-2026-47745
Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.51 TYPO3 CMS versions 12.0.0 through 12.4.46 TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 Description Authenticated backend users...
CVE-2026-3391
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clearstorages of the file src/lilyemitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used for...
CVE-2026-3391 FascinatedBox lily lily_emitter.c clear_storages out-of-bounds
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clearstorages of the file src/lilyemitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used for...
EUVD-2026-9126
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clearstorages of the file src/lilyemitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used for...
CVE-2026-3391
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clearstorages of the file src/lilyemitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used for...
CVE-2026-3391 FascinatedBox lily lily_emitter.c clear_storages out-of-bounds
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clearstorages of the file src/lilyemitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used for...
CVE-2026-3391 FascinatedBox lily lily_emitter.c clear_storages out-of-bounds
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clearstorages of the file src/lilyemitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used for...
CVE-2026-3391
CVE-2026-3391 affects FascinatedBox lily up to version 2.3. The vulnerability is in the function clear_storages in src/lily_emitter.c and results in an out-of-bounds read. Exploitation requires local access, and public proof-of-concept/exploit code exists. The issue was disclosed via an issue rep...
PT-2026-22513
A security flaw has been discovered in FascinatedBox lily up to 2.3. Impacted is the function clear storages of the file src/lily emitter.c. The manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been released to the public and may be used f...
EUVD-2026-5367
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle MitM attacks. This...
OPENSUSE-SU-2026:10125-1 python311-django-storages-1.14.6-1.1 on GA media
These are all security issues fixed in the python311-django-storages-1.14.6-1.1 package on the GA media of openSUSE Tumbleweed...
CVE-2024-52518
Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded...
CVE-2024-52517 Nextcloud Server's global credentials of external storages are sent back to the frontend
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...
CVE-2024-52517 Nextcloud Server's global credentials of external storages are sent back to the frontend
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...
CVE-2024-52523 Nextcloud Server Custom defined credentials of external storages are sent back to the frontend
Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active sessi...
Missing password confirmation when changing external storage options
None...
CVE-2024-50386 Apache CloudStack: Directly downloaded templates can be used to abuse KVM-based infrastructure
Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker...