CVE-2026-6713

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.10.7, 18.11 before 18.11.4, and 19.0 before 19.0.1 that under certain conditions could have allowed an unauthorized user to enumerate private projects due to incorrect authorization checks...

EUVD-2026-30798

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios...

PT-2026-41722

Name of the Vulnerable Software and Affected Versions HCL Connections affected versions not specified Description Broken access control may allow an unauthorized user to update data in certain scenarios. Recommendations At the moment, there is no information about a newer version that contains a...

chartbrew 安全漏洞

Chartbrew is an open-source data visualization and dashboard building tool developed by Chartbrew. Version 4.9.0 of Chartbrew contains a security vulnerability. This vulnerability stems from the lack of authentication for the POST /api/chart/:chartid/query endpoint. Only the team.allowReportRefre...

GHSA-VJ45-X3PJ-F4W4 Weblate: Improper access control for pending tasks in API

Impact The API for tasks didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. Patches https://github.com/WeblateOrg/weblate/pull/18515 Workarounds The attacker needs to guess the random UUID of the task, so...

CVE-2026-33212

CVE-2026-33212 affects Weblate (web-based localization tool). The vulnerability lies in the tasks API where, in versions prior to 5.17, access control for pending tasks was not enforced, potentially exposing in-progress task logs to users without the proper scope. The attack requires brute-forcin...

EUVD-2026-22649

Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network...

CVE-2026-32084

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally...

CVE-2026-32079

Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally...

CVE-2025-14684

IBM Maximo Application Suite - Monitor Component 9.1, 9.0, 8.11, and 8.10 could allow an unauthorized user to inject data into log messages due to improper neutralization of special elements when written to log files...

EUVD-2026-14942

Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users...

GHSA-VGJG-248P-RFM2 Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

Summary A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. Root-cause analysis: 1...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.25 contained security vulnerabilities. These vulnerabilities stemmed from access control issues in signal reaction notification processing, which could allow unauthorized sender...

CVE-2026-33251 Discourse has a Hidden Solved topics permission bypass

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass vulnerability in hidden Solved topics may allow unauthorized users to accept or unaccept solutions. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a...

CVE-2026-32028

OpenClaw versions prior to 2026.2.25 fail to enforce dmPolicy and allowFrom authorization checks on Discord direct-message reaction notifications, allowing non-allowlisted users to enqueue reaction-derived system events. Attackers can exploit this inconsistency by reacting to bot-authored DM...

CVE-2026-32005

OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including blockaction, viewsubmission, and viewclosed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue...

CVE-2026-29072

CVE-2026-29072 affects Discourse prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, where users not in the allowed policy creation groups could create functional policy acceptance widgets in posts under certain conditions. The root cause is a flaw in policy widget creation permissions that allow...

.net: .NET: Denial of Service via out-of-bounds read

A flaw was found in .NET. An unauthorized attacker can exploit an out-of-bounds read vulnerability over a network, leading to a Denial of Service DoS. This can prevent legitimate users from accessing the affected service...

GO-2026-4589 Rancher cloud credentials can be used through proxy API by users without access in github.com/rancher/rancher

Rancher cloud credentials can be used through proxy API by users without access in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports fr...

Gokapi 访问控制错误漏洞

Gokapi is a lightweight, self-hosted alternative to Firefox sending by Marc Bulling. Versions of Gokapi prior to 2.2.3 contained an access control vulnerability. This vulnerability stemmed from the ability of users without the permission to create or modify files to create temporary API keys with...