GHSA-CHQV-VRJ7-QFFP NocoDB: Shared-base link access can invite arbitrary users as persistent base members

Summary Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem the...

EUVD-2026-12740

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint UserInviteController::register accepts all POST parameters and passes them to UserModel::create without filtering out the role field. An attacker who receives an...

PT-2026-26020

Kanboard is project management software focused on Kanban methodology. Prior to 1.2.51, Kanboard's user invite registration endpoint UserInviteController::register accepts all POST parameters and passes them to UserModel::create without filtering out the role field. An attacker who receives an...

EUVD-2022-28175

Malicious code in bioql PyPI...

EUVD-2022-48192

Malicious code in bioql PyPI...

Open Social - Less critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-015

Open Social is a Drupal distribution for online communities, which ships with a default module to invite users to groups and events. Invites for a specific user can be seen under certain conditions. The issue is mitigated for events by the fact that socialeventmaxenroll has to be enabled...

CVE-2024-2232

The lacks CSRF checks allowing a user to invite any user to any group including private groups...

CVE-2022-45292

User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted...

Design/Logic Flaw

User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted...

CVE-2022-45292

User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted...

CVE-2022-45292

CVE-2022-45292 affects Funkwhale v1.2.8. The vulnerability is that user invites do not permanently expire after signup and invites can be reused after the associated account is deleted, enabling potential reuse of invitations and account abuse. The connected PT-2022-27460 entry provides the affec...

CVE-2022-31025

CVE-2022-31025 affects Discourse; prior to versions 2.8.4 (stable) and 2.9.0beta5 (beta/tests-passed) an SSO-based invite could bypass must_approve_users, causing invites by staff to be auto-approved. A fix is available: Discourse 2.8.4 on stable and 2.9.0.beta5 on beta/tests-passed. Workarounds ...

Pushwoosh: Bypass the resend limit in Send Invites

Attacker was able to bypass the limit in user invites...

User invite functionality available to non-admins

The REST API which manages user invites ensures that only adminstrators can generate a new invite token. However, no similar access controls are present on the methods which are used to invite new users, or to revert to the previous security token – these can be successfully called by any...

User invite functionality available to non-admins

The REST API which manages user invites ensures that only adminstrators can generate a new invite token. However, no similar access controls are present on the methods which are used to invite new users, or to revert to the previous security token – these can be successfully called by any...

User invite functionality available to non-admins

The REST API which manages user invites ensures that only adminstrators can generate a new invite token. However, no similar access controls are present on the methods which are used to invite new users, or to revert to the previous security token – these can be successfully called by any...