PT-2026-27454

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. A flaw exists where the DELETE /api/v1/projects/:project/shares/:share endpoint does not confirm that the link share belongs to the project specifie...

PT-2026-27626

Name of the Vulnerable Software and Affected Versions PinchTab versions prior to 0.8.4 Description PinchTab includes an optional scheduler that, in version 0.8.3, had a server-side request forgery issue in its webhook delivery path. When a task is submitted to the POST /tasks endpoint with a...

CVE-2026-29839

DedeCMS v5.7.118 contains a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php. The available sources confirm the affected product/version and the vulnerable endpoint, but do not provide details on root cause, exploitability, impact scope, or remediation steps. No exploit detail...

CVE-2026-29839

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability in /systaskadd.php...

PT-2026-27447

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability in /sys task add.php...

OpenClaw has an unspecified vulnerability (CNVD-2026-14832)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that is caused by failing to pass the senderIsOwner flag when processing Discord voice transcription in agentCommand. An attacker could exploit the vulnerability to cause a voi...

CVE-2026-29839

DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability in /systaskadd.php...

PT-2026-27451

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.1 Description Vikunja is a self-hosted task management platform. A flaw exists where the TaskAttachment.ReadOne function queries attachments using only the ID, disregarding the task ID from the URL. The permission...

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja developers. Versions of Vikunja prior to 2.2.0 contained security vulnerabilities. These vulnerabilities were due to access control flaws in the API, which could allow authenticated users to read arbitrary task comments...

CVE-2026-32907

Rejected reason: This CVE ID has been rejected...

CVE-2026-22173

Rejected reason: This CVE ID has been rejected...

CVE-2026-32907

OpenClaw is affected by CVE-2026-32907 in versions prior to 2026.2.19. A local command-injection flaw exists in Windows scheduled task script generation, allowing an attacker who can influence service script generation values to inject unescaped cmd metacharacters into gateway.cmd arguments and a...

CVE-2026-32907

...

CVE-2026-22173

OpenClaw is affected for versions prior to 2026.2.18. The issue is a command injection in Windows Scheduled Task script generation, where environment variables are written unquoted to gateway.cmd, allowing shell metacharacters to break out of the assignment context. Attackers can inject arbitrary...

CVE-2026-22173

...

GHSA-F35R-V9X5-R8MC New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...

EUVD-2026-14518

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check...

CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...

CVE-2026-30886

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.11.4-alpha.2, an Insecure Direct Object Reference IDOR vulnerability in the video proxy endpoint GET /v1/videos/:taskid/content allows any authenticated user to access video...