CVE-2026-0245

Technical details about CVE-2026-0245 are not publicly available in the provided documents. Monitor for updates; no specific affected versions, root cause, or mitigations are disclosed here.

CVE-2026-0245

Multiple information disclosure vulnerabilities in Prisma Access Agent® allow a local user to access sensitive configuration data and credentials. The Prisma Access Agent on Linux, ChromeOS, Android, and iOS are not affected...

CVE-2026-0245 Prisma Access Agent: Information Disclosure Vulnerabilities

Multiple information disclosure vulnerabilities in Prisma Access Agent® allow a local user to access sensitive configuration data and credentials. The Prisma Access Agent on Linux, ChromeOS, Android, and iOS are not affected...

CVE-2026-6282

A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device...

GHSA-RMP5-5JJ7-GMVF MantisBT has an authorization bypass that allows reading attachments after losing access to a private issue

MantisBT permits a user to list and download their own attachments from an Issue created by another user, even after that Issue becomes private and direct access to it is denied. Impact The loss of confidentiality caused by this vulnerability is minimal, considering that only the attachments that...

CVE-2026-7813

pgAdmin 4 server mode CVE-2026-7813 enables cross-user data access and privilege escalation in Shared Servers. An authenticated user could enumerate object IDs to fetch another user’s private servers, server groups, background processes, and debugger arguments due to lacking user-scoped access co...

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions of Kirby prior to 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from the system’s API endpoints leaking license data and installed versions to authenticated users...

CVE-2026-42456 AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (IDOR)

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace...

CVE-2026-42456

AnythingLLM vulnerable prior to v1.12.1: GET /api/workspace/:slug/tts/:chatId exposes another user’s private chat response as TTS audio due to ownership check not being enforced, enabling IDOR. Authenticated users can access audio content by guessing known chatId. Issue patched in v1.12.1; remedi...

GHSA-45M8-CPM2-3V65 Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access Affected Component Socket.IO session state and role-check callsites: - backend/openwebui/socket/main.py lines 330-351, connect handler — role snapshotted into SESSIONPOOL - backend/openwebui/socket/main.py lin...

CVE-2026-6737

An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable via crafted IOCTL requests.Refer to the ' Security Update for ASUS Precision...

CVE-2026-3508

The CVE-2026-3508 entry describes an Out-of-bounds Read in the IOCTL handler of ASUS System Control Interface. This allows a local user to trigger a system crash (BSOD) by issuing a read size larger than the internal buffer. Affected component: IOCTL handling within ASUS System Control Interface;...

CVE-2026-6737

The CVE-2026-6737 entry concerns AsusPTPFilter used by ASUS Precision Touchpad. It describes an Exposed IOCTL with Insufficient Access Control that allows a local user to bypass driver security, potentially exposing restricted touchpad data or rendering the touchpad unusable through crafted IOCTL...

PT-2026-38660

Name of the Vulnerable Software and Affected Versions Onyx versions prior to 3.0.9 Onyx versions prior to 3.1.6 Onyx versions prior to 3.2.6 Description An issue in the AI platform allows an authenticated user to terminate another user's active chat session. The endpoint...

ASUS AsusPTPFilter 安全漏洞

ASUS AsusPTPFilter is a system driver component developed by ASUS Corporation in China, designed for filtering touchpad inputs and suppressing accidental palm touches. There is a security vulnerability in ASUS AsusPTPFilter, which stems from insufficient access control for exposed IOCTLs. This...

Weblate 安全漏洞

Weblate is an open-source, copyleft, web-based free software system for continuous localization. Versions of Weblate prior to 5.17.1 contained a security vulnerability, which was exploited by screenshots, tasks, and component link APIs, allowing enumeration of translations in items that users...

CI4MS 代码问题漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. Versions of CI4MS from 0.26.0.0 to 0.31.7.0 had code-related vulnerabilities. These vulnerabilities stemmed from the theme upload feature not filtering PHP files within ZIP files. This could allow authenticated users to execute...

CVE-2026-34458

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions EditAdminOnly and ConfigPassword and inject arbitrary directives into the global...

PT-2026-37225

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions EditAdminOnly and ConfigPassword and inject arbitrary directives into the global...

CVE-2026-42092 Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and...