CVE-2026-42202

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint POST/nova-vendor/nova-toggle/toggle/resource/resourceId was protected only by web + auth: middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes...

CVE-2026-42202

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint POST/nova-vendor/nova-toggle/toggle/resource/resourceId was protected only by web + auth: middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes...

CVE-2026-42202 nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint POST/nova-vendor/nova-toggle/toggle/resource/resourceId was protected only by web + auth: middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes...

CVE-2026-42202

In detail, CVE-2026-42202 affects the laravel package almirhodzic/nova-toggle-5 (Nova toggle feature). Before 1.3.0, the toggle endpoint POST /nova-vendor/nova-toggle/toggle/{resource}/{resourceId} was protected only by web + auth:, allowing any authenticated user on the configured guard—even non...

CVE-2026-42202

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint POST/nova-vendor/nova-toggle/toggle/resource/resourceId was protected only by web + auth: middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes...

CVE-2026-42202 nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint POST/nova-vendor/nova-toggle/toggle/resource/resourceId was protected only by web + auth: middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes...

EUVD-2026-28835

nova-toggle-5 enables fliping booleans in the index. Prior to version 1.3.0, the toggle endpoint POST/nova-vendor/nova-toggle/toggle/resource/resourceId was protected only by web + auth: middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the toggle endpoint. An attacker can modify boolean fields on any resource by sending requests to the endpoint with arbitrary attribute parameters, even if they do not have access to the Nova admin area, as lo...

nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

Impact In versions middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself for example, frontend customers sharing the web guard with the Nova admin area. The endpoi...

nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

In versions middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself for example, frontend customers sharing the web guard with the Nova admin area. The endpoint also...

nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

In versions middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself for example, frontend customers sharing the web guard with the Nova admin area. The endpoint also...

CVE-2026-27880

A flaw was found in Grafana. A remote attacker can exploit the feature toggle evaluation endpoint by sending unbounded values, causing the system to read excessive data into memory. This can lead to out-of-memory crashes, resulting in a Denial of Service DoS for the affected service. Mitigation...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the OpenFeature feature toggle evaluation endpoint. An attacker can cause the system to read excessive data into memory by sending unbounded values, potentially leading to...