Lucene search
K

15091 matches found

CVE
CVE
added 2026/06/29 9:47 p.m.12 views

CVE-2026-34592

CVE-2026-34592 (Coolify) affects the Coolify server and project lookup functionality. Before 4.0.0-beta.471, lookups were not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying IDs directly. This constitutes an unauthe...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/29 9:47 p.m.6 views

CVE-2026-34592

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticated user to access servers and projects belonging to other teams by specifying...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/06/29 8:17 p.m.10 views

CVE-2026-57498

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId$teamId before any operation. However, multiple Livewire web UI components accept...

9.6CVSS0.00223EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/29 8:12 p.m.23 views

CVE-2026-57498 Coolify Cross-Team IDOR: Livewire Components Accept Unscoped server_id and destination_uuid — Deploy to Other Teams' Servers

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId$teamId before any operation. However, multiple Livewire web UI components accept...

9.6CVSS0.00223EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/29 8:12 p.m.6 views

CVE-2026-57498

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId$teamId before any operation. However, multiple Livewire web UI components accept...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/29 8:12 p.m.26 views

CVE-2026-57498

CVE-2026-57498 affects Coolify. Before 4.0.0-beta.474, API controllers validated server ownership via Server::whereTeamId($teamId) for operations, but multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without team ownership validation. This enable...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/29 2:28 p.m.7 views

WordPress Team Members – Multi Language Supported Team Plugin plugin <= 8.7 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by AveronSec - Averon Security in WordPress Plugin Team Member versions = 8.7...

4.4CVSS5.8AI score0.00212EPSS
Exploits0References1Affected Software1
Circl
Circl
added 2026/06/29 1:18 p.m.8 views

CERTFR-2026-ACT-028

creationtimestamp| type| source ---|---|--- 2026-06-29 13:18:55+00:00| seen| https://bsky.app/profile/cert-fr.bsky.social/post/3mpglahrxgg2r 2026-06-29 13:19:01+00:00| seen| https://social.numerique.gouv.fr/users/certfr/statuses/116833591913906031 2026-06-30 09:08:15+00:00| seen|...

5.8AI score
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.20 views

PT-2026-53749

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Server and project lookups are not scoped to the current team, which allows any...

7.7CVSS5.8AI score0.00201EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.12 views

PT-2026-53734

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.474 Description Multiple Livewire web UI components fail to validate team ownership when processing server id and destination uuid passed via URL query parameters. While API controllers correctly use the...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References4
OSV
OSV
added 2026/06/26 8:30 p.m.2 views

GHSA-GM7F-V959-FR2G Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint

Summary The global policy read endpoint GET /api/latest/fleet/policies/policyid performs authorization against an empty fleet.Policy struct with nil TeamID, then fetches any policy by ID from the database without verifying the fetched policy actually belongs to the global scope. This allows a use...

4.3CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/06/26 8:30 p.m.2 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the GetPolicyByIDQueries process. An attacker can access policy data belonging to other teams by sending requests to the global policy read endpoint with valid credentials for any team, thereby bypassing...

5.3CVSS6AI score
Exploits0References2
NVD
NVD
added 2026/06/26 8:17 p.m.7 views

CVE-2026-52779

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS0.00185EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 7:2 p.m.30 views

CVE-2026-52779 OpenProject: Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projects

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS0.00185EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 7:2 p.m.8 views

CVE-2026-52779

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/26 7:2 p.m.15 views

CVE-2026-52779

OpenProject prior to versions 17.3.3 and 17.4.1 contains a cross-project IDOR/authorization context confusion in the Calendar and Team Planner modules. A user with management permissions in one project can delete public Calendar or Team Planner Queries from another project where they lack corresp...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.10 views

PT-2026-53001

Name of the Vulnerable Software and Affected Versions Fleet DM affected versions not specified Description An issue exists in the global policy read endpoint GET /api/latest/fleet/policies/policy id where authorization is performed against an empty structure with a nil TeamID. This allows the...

4.3CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.18 views

PT-2026-52910

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description An authorization context confusion and Insecure Direct Object Reference IDOR exist within the Calendar and Team Planner modules. A user with management...

5.4CVSS5.8AI score0.00185EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/24 8:18 p.m.27 views

CVE-2026-52800 Gogs: CSRF Leading to Organization Owner Takeover

Gogs is an open source self-hosted Git service. Prior to 0.14.3, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be add...

8.8CVSS0.00248EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 8:18 p.m.17 views

CVE-2026-52800

CVE-2026-52800 (Gogs) : In Gogs 0.14.1 and earlier, organization team management endpoints were reachable via GET requests with CSRF protection disabled for GET, enabling state-changing actions like adding a user to the Owners team without proper CSRF checks. If the victim is an organization owne...

8.8CVSS5.9AI score0.00248EPSS
Exploits0References4
Rows per page
Query Builder