CVE-2026-53867 Capgo < 12.128.2 - Orphaned File Retention via Profile Image Replacement

Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them. Attackers can access orphaned image files through previously generated URLs, allowing unauthorized retrieval of user-uploaded content...

CVE-2026-53867

Capgo before 12.128.2 does not delete previously uploaded profile images, leaving orphaned files accessible via previously generated URLs, enabling unauthorized retrieval of user-uploaded content. This affects Capgo's backend storage handling when users replace or remove images. The CVE notes MED...

PT-2026-24816

🚨 CVE-2026-32097 PingPong is a platform for using large language models LLMs for teaching and learning. Prior to 7.27.2, an authenticated user may be able to retrieve or delete files outside the intended authorization scope. This issue could result in retrieval or deletion of private files,...

PT-2025-52612

Name of the Vulnerable Software and Affected Versions HappyDevs TempTool versions through 1.3.1 Description HappyDevs TempTool contains a flaw that could allow unauthorized retrieval of embedded sensitive data, potentially exposing sensitive system information. Recommendations Update HappyDevs...

CVE-2025-41016

CVE-2025-41016 affects Davantis DFUSION v6.177.7. The vulnerability is an inadequate access control that lets unauthorised actors access alarm media via /alarms//, where MEDIA can be snapshot or video.mp4, exposing images/videos from triggered alerts. CVSSv4 base score 8.7 (HIGH) with NETWORK att...

EUVD-2022-7426

Malicious code in bioql PyPI...

CVE-2022-45921

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process...

CVE-2025-47540

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail wemail allows Retrieve Embedded Sensitive Data.This issue affects weMail: from n/a through = 1.14.13...

CVE-2025-31832

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Beee ACF City Selector acf-city-selector allows Retrieve Embedded Sensitive Data.This issue affects ACF City Selector: from n/a through = 1.17.0...

CVE-2024-49284

CVE-2024-49284 (WP SendFox) : A sensitive data exposure vulnerability in the WordPress plugin WP SendFox (BogdanFix) affects versions

CVE-2024-38467

The CVE-2024-38467 vulnerability affects Shenzhen Guoxin Synthesis Image System prior to version 8.3.0. The issue permits unauthorized retrieval of user information via the queryUser API, with CVSS v3.1 base score 7.5 (HIGH) and network access, no privileges or user interaction required. Remediat...

CVE-2024-38467

Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized user information retrieval via the queryUser API...

CVE-2023-40275

An issue was discovered in OpenClinic GA 5.247.01. It allows retrieval of patient lists via queries such as findFirstname= to common/search/searchByAjax/patientslistShow.jsp...

CVE-2023-32005

A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non- argument. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.statfs API. As a result...

CVE-2023-30956 IDOR in Foundry Comments allows retrieval of attachments

A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0...

CVE-2022-45921

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process...

CVE-2022-32245

SAP BusinessObjects Business Intelligence Platform Open Document - versions 420, 430, allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put load on the...

Authentication flaw

Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval...

CVE-2022-0373

Improper access control in GitLab CE/EE versions 12.4 to 14.5.4, 14.5 to 14.6.4, and 12.6 to 14.7.1 allows project non-members to retrieve the service desk email address...

CVE-2022-26317

A vulnerability has been identified in Mendix Applications using Mendix 7 All versions V7.23.29. When returning the result of a completed Microflow execution call the affected framework does not correctly verify, if the request was initially made by the user requesting the result. Together with...