Lucene search
K

92 matches found

NVD
NVD
added 2026/06/24 9:16 p.m.7 views

CVE-2026-52812

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid r...

7.1CVSS0.00236EPSS
Exploits0References4
NVD
NVD
added 2026/06/10 10:16 p.m.13 views

CVE-2026-44692

Sharp is a content management framework built for Laravel as a package. Prior to version 9.22.0, Sharp exposes a generic download endpoint that authorizes access only to the supplied Sharp entity instance, but then reads the target storage disk and path from request parameters. Because the...

7.7CVSS0.00262EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.14 views

sharp 安全漏洞

Sharp is a personal development tool by Lovell, designed to convert large images in common formats into smaller, web-friendly JPEG, PNG, WebP, GIF, and AVIF images. Versions of Sharp prior to 9.22.0 contained a security vulnerability. This vulnerability stemmed from the general download endpoint...

7.7CVSS5.4AI score0.00262EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/29 12:9 p.m.33 views

CVE-2026-9508 Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar

Incorrect permission settings on a critical resource in Suprema BioStar 2 versions 2.9.3 through 2.9.11 that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly...

10CVSS0.00341EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/26 5:29 p.m.10 views

CVE-2026-44776 Kavita: IDOR in /api/Download/*

Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can downloa...

5.9CVSS5.7AI score0.0025EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.62 views

PT-2026-42553

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier Description The submit password method in 'concrete/controllers/single page/download file.php' allows unauthorized file access because the process for downloading permission-restricted files bypasses the...

6.3CVSS5.8AI score0.00224EPSS
Exploits0References3
NVD
NVD
added 2026/04/08 7:25 p.m.6 views

CVE-2026-35165

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the documentrepository frontend was restricting file access, the backend endpoint was not...

6.5CVSS0.00165EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/08 6:23 p.m.4 views

CVE-2026-35165 LORIS has incorrect access checks in document_repository

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the documentrepository frontend was restricting file access, the backend endpoint was not...

6.3CVSS5.9AI score0.00165EPSS
Exploits0References1
OSV
OSV
added 2026/03/24 2:16 p.m.9 views

PYSEC-2026-80

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns...

7.5CVSS5.8AI score0.05838EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/11 8:33 p.m.27 views

CVE-2026-25633 Statamic's missing authorization allows access to assets

Statamic is a, Laravel + Git powered CMS designed for building websites. Prior to 5.73.6 and 6.2.5, users without permission to view assets are able are able to download them and view their metadata. Logged-out users and users without permission to access the control panel are unable to take...

4.3CVSS0.00285EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/02/11 12:0 a.m.7 views

CIPPlanner CIPAce 安全漏洞

CIPPlanner CIPAce is a business process automation and application development platform provided by the American company CIPPlanner. Versions of CIPPlanner CIPAce prior to version 9.17 contained security vulnerabilities. These vulnerabilities were due to access control defects in the File Downloa...

7.5CVSS5.8AI score0.00232EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/01/24 12:0 a.m.6 views

phpMyFAQ Access Control Vulnerability

phpMyFAQ is a multilingual, database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ 4.0.16 and earlier contained an access control vulnerability caused by insufficient permission checks. This vulnerability could allow unauthorized users to download FAQ attachments...

6.5CVSS5.8AI score0.0042EPSS
Exploits1References2
CVE
CVE
added 2026/01/19 6:8 p.m.15 views

CVE-2026-23878

HotCRP vulnerability CVE-2026-23878: Affects HotCRP conference review software where, from commit aa20ef288828b04550950cf67c831af8a525f508 to before commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a site could use the document API to download any submissio...

6.5CVSS5.4AI score0.00257EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 10:19 a.m.6 views

CVE-2019-18383

An issue was discovered on TerraMaster FS-210 4.0.19 devices. One can download backup files remotely from terramasterTNAS-00E43Aconfigbackup.bin without permission...

7.5CVSS7AI score0.01604EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 10:7 a.m.8 views

CVE-2019-20484

An issue was discovered in Viki Vera 4.9.1.26180. A user without access to a project could download or upload project files by opening the Project URL directly in the browser after logging in...

8.1CVSS6.9AI score0.00905EPSS
Exploits1References1
Cvelist
Cvelist
added 2025/12/29 12:48 a.m.31 views

CVE-2025-15066 Arbitrary File Download through Path Traversal in Innorix WP

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Missing Authorization vulnerability in Innorix WP allows Path Traversal.This issue affects Innorix WP from All versions If the "exam" directory exists under the directory where the product is installed ex: innorix/exam...

6.9CVSS0.00139EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/12/18 12:0 a.m.7 views

TP-Link WA850RE 安全漏洞

TP-Link WA850RE is a wireless signal extender from China P&L TP-Link. A security vulnerability exists in the TP-Link WA850RE V2160527 and prior versions, which stems from improper authentication of the httpd module and could result in the downloading of configuration files...

7.5CVSS6.9AI score0.00436EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/12/17 10:44 p.m.22 views

CVE-2023-53930 ProjectSend r1605 Insecure Direct Object Reference File Download Vulnerability

ProjectSend r1605 contains an insecure direct object reference vulnerability that allows unauthenticated attackers to download private files by manipulating the download ID parameter. Attackers can access any user's private files by changing the 'id' parameter in the download request to process.p...

7.5CVSS0.00323EPSS
Exploits1References3
NVD
NVD
added 2025/12/05 6:16 a.m.5 views

CVE-2016-20023

In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided...

6.5CVSS0.003EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/12/05 12:0 a.m.4 views

CVE-2016-20023

In CKSource CKFinder before 2.5.0.1 for ASP.NET, authenticated users could download any file from the server if the correct path to a file was provided...

5CVSS6.3AI score0.003EPSS
Exploits0References1
Rows per page
Query Builder