Admidio 安全漏洞

Admidio is a set of open-source member management systems developed by the Admidio team. This system supports features such as member lists, event management, message boards, photo albums, and downloads. Versions of Admidio prior to 5.0.9 contained security vulnerabilities. These vulnerabilities...

ShinyHunters’ Instructure Canvas LMS and Vimeo Breaches Impact Millions of Users

ShinyHunters breached Instructure and Vimeo, exposing millions of student and user records through direct and supply chain attacks...

Exploit for CVE-2025-48757

cso-vibecheck Senior-CSO security audit skill for vibe-coded...

PT-2026-29444

A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file gougucms-masterappadminviewuserrecord.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack...

CVE-2026-33541

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. Whil...

GHSA-F346-8RP3-4H9H TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service

Summary A flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded...

TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service

Summary A flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded...

EUVD-2026-16398

TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service...

CVE-2026-33541

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. Whil...

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

CVE-2026-33541

TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage reports, investigations, appeals, and transparency work. Prior to version 34, a flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. Whil...

Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Summary A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration. Details The vulnerable route is registered as a public endpoint:...

CVE-2026-32638 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

EUVD-2026-8646

Budibase: Remote Code Execution via Unsafe eval in View Filter Map Function Budibase Cloud...

Substack Breach: 662,752 User Records Leaked on Cybercrime Forum

Substack confirms a breach after hacker accessed internal user records now circulating on crime forums, exposing emails, phone numbers, and account metadata...

EUVD-2025-199726

Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information...

CVE-2025-65238

Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information...

CVE-2025-65238

Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information...

PT-2025-48156

Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information...