CVE-2026-42572 Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`

Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...

CVE-2026-42572 Hatchet: Cross-tenant information disclosure in `listTasksByDAGIds`

Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...

CVE-2026-42572

Hatchet’s CVE-2026-42572 describes a cross-tenant information disclosure in GET /api/v1/stable/dags/tasks due to a missing authorization directive. The underlying cause: the listTasksByDAGIds operation did not declare x-resources: ["tenant"], allowing a user authenticated to one tenant to supply ...

EUVD-2026-30339

Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...

CVE-2026-42572

Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any...

hatchet 安全漏洞

Hatchet is an open-source backend task and AI workflow orchestration engine developed by Hatchet. Versions of Hatchet prior to 0.83.39 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authorization instructions for the GET /api/v1/stable/dags/tasks endpoint,...

CVE-2025-63681

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers a normal user to stop arbitrary LLM response tasks...

open-webui is Vulnerable to Incorrect Access Control

open-webui v0.6.33 is vulnerable to Incorrect Access Control. The API /api/tasks/stop/ directly accesses and cancels tasks without verifying user ownership, enabling attackers a normal user to stop arbitrary LLM response tasks...

EUVD-2025-24623

Malicious code in bioql PyPI...

CVE-2025-45313

A cross-site scripting XSS vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter...

CVE-2025-45313

A cross-site scripting XSS vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter...

CVE-2025-45313

A cross-site scripting XSS vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter...

PT-2025-33060 · Unknown · Hortusfox-Web

Name of the Vulnerable Software and Affected Versions: hortusfox-web version 4.4 Description: A cross-site scripting XSS vulnerability exists in the /tasks endpoint. Attackers can execute arbitrary JavaScript in the context of a user's browser by injecting a crafted payload into the title...

CVE-2025-45313

A cross-site scripting XSS vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter...

CVE-2025-45313

A cross-site scripting XSS vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter...

CVE-2025-45313

hortusfox-web v4.4 has an XSS in the /tasks endpoint: user-supplied title parameter can be crafted to inject JavaScript, executing in the attacker’s context. Root cause: insufficient input sanitization in the title field. Impact per sources: arbitrary JavaScript execution in the user’s browser; C...

HortusFox 安全漏洞

HortusFox is a free and open source self-hosted plant manager system from HortusFox, Inc. A security vulnerability exists in HortusFox v4.4 that stems from a cross-site scripting attack due to misuse of the parameter title in the /tasks endpoint...

CVE-2022-39281 Remote Denial of Service via Tasks endpoint in fat_free_crm

fatfreecrm is a an open source, Ruby on Rails customer relationship management platform CRM. In versions prior to 0.20.1 an authenticated user can perform a remote Denial of Service attack against Fat Free CRM via bucket access. The vulnerability has been patched in commit c85a254 and will be...

Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint

Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or...

Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint

Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or...