Authorization Bypass Through User-Controlled Key

Overview chromadb is a Chroma. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to insufficient authorization checks when UUID is provided. An attacker can gain unauthorized access to read, write, update, or delete data belonging to other...

MINI-45G4-3JJ6-967C

Bulletin has no description...

ECHO-4AD2-F6DA-0B95

Bulletin has no description...

CVE-2026-44379

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or modify Collection records could submit malformed UUID values, potentially causing integrity issues o...

MINI-G5FP-W567-XJ3F

Bulletin has no description...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses uuid-7.0.3.tgz which is vulnerable to CVE-2026-41988

Summary Security Bulletin: IBM Maximo Application Suite - Monitor Component uses uuid-7.0.3.tgz which is vulnerable to CVE-2026-41988.This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-41988 DESCRIPTION: uuid before 14.0.0 can make unexpected...

CVE-2026-9712

When creating an export through the pretix API, API clients are returned an UUID value for their export job a long, random string like 35742818-c375-4d15-839f-d49aecce94d6. Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places...

CVE-2026-44712 pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $id/tmp/rce in the config causes root RCE when pamusb-conf --reset-pads is run. A USB device with a crafted filesystem UUID some controllers allow this can inject the payload a...

CVE-2026-9712

When creating an export through the pretix API, API clients are returned an UUID value for their export job a long, random string like 35742818-c375-4d15-839f-d49aecce94d6. Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places...

Cloud Foundry BOSH Director 安全漏洞

Cloud Foundry BOSH Director is a cloud infrastructure deployment and lifecycle management platform developed by the US Cloud Foundry company. Versions of Cloud Foundry BOSH Director prior to v282.1.12 contained security vulnerabilities. These vulnerabilities stemmed from AgentClient not performin...

Security Bulletin: TDI is vulnerable to do not reject out of range writes due to uuid-11.1.0 - CVE-2026-41907

Summary portal-tdi, portal-tdl and portal gcm uses carbon data table and this library requires uuid 11.1.0 the same library have this CVE-2026-41907 Vulnerability Details CVEID:CVE-2026-41907 DESCRIPTION: uuid is for the creation of RFC9562 formerly RFC4122 UUIDs. Prior to 14.0.0, v3, v5, and v6...

PT-2026-41877

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description An Insecure Direct Object Reference IDOR flaw exists in the Authorization Services Protection API endpoint. An authenticated client can bypass authorization checks by providing the unique...

CVE-2026-41948 Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...

CVE-2026-44678 Tuist: IDOR in preview deletion API allows cross-tenant deletion of any preview by UUID

Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/accounthandle/projecthandle/previews/previewid endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-lev...

CVE-2026-44678 Tuist: IDOR in preview deletion API allows cross-tenant deletion of any preview by UUID

Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/accounthandle/projecthandle/previews/previewid endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-lev...

GHSA-4G37-7P2C-38R9 Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls

IDOR: Retrieval API Bypasses Knowledge Base Access Controls Author: Andrew Orr Summary validatecollectionaccess PR 22109 checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who...

EUVD-2026-29902

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier...

CVE-2026-21015

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier...

CVE-2026-21015

CVE-2026-21015 : The issue concerns incorrect default permissions in the FactoryCamera prior to the SMR May-2026 Release 1, enabling a local attacker to access the device’s unique identifier. The CVSS v4.0 metrics indicate a LOCAL attack vector, LOW attack complexity, and LOW privilegesRequired, ...

CVE-2026-21015

Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier...