PT-2026-44153

TL;DR This vulnerability affects all Kirby sites that restrict the visibility of users for certain roles via the users.access or users.list permissions. A site is affected if users of a particular role are not allowed to see other users in the Panel, for example because the role's blueprint sets...

CVE-2026-39384

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limitusercustomervisibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212...

PT-2026-30898

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit user customer visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212...

BIT-GITEA-2026-20904 Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the ToggleUserOpenIDVisibility function. An authenticated attacker can modify the visibility settings of other users' OpenID identities. Remediation Upgrade...

CVE-2026-20904 Gitea: Broken access control in OpenID visibility toggle enables cross-user visibility changes

Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities...

CVE-2026-22646

Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information like file paths, database errors, or software versions that can be used to map the application's internal structu...

CVE-1999-0259

cfingerd lists all users on a system via search.@target...

EUVD-2020-4314

Malware in sbrugna...

EUVD-2025-4277

Malicious code in bioql PyPI...

PT-2025-26841 · Discourse · Discourse

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 3.4.6 Discourse versions prior to 3.5.0.beta8-dev Description: Discourse is an open-source discussion platform where the visibility of posts typed whisper is controlled via the whispers allowed groups site setting...

CVE-2025-48475

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the System does not provide a check on which "clients" of the System an authorized user can view and edit, and which ones they cannot. As a result, an authorized user who does not have access to any of the...

CVE-2023-28482

An issue was discovered in Tigergraph Enterprise 3.7.0. A single TigerGraph instance can host multiple graphs that are accessed by multiple different users. The TigerGraph platform does not protect the confidentiality of any data uploaded to the remote server. In this scenario, any user that has...

CVE-2025-2564

Mattermost versions 10.5.x = 10.5.1, 10.4.x = 10.4.3, 9.11.x = 9.11.9 fail to properly enforce the 'Allow users to view/update archived channels' System Console setting, which allows authenticated users to view members and member information of archived channels even when this setting is disabled...

Moodle < 4.1.12 Multiple Vulnerabilities

According to its self-reported version, the Moodle install hosted on the remote host is 4.1.x prior to 4.1.12, 4.2.x prior to 4.2.9, 4.3.x prior to 4.3.6, or 4.4.x prior to 4.4.2. It is, therefore, affected by multiple vulnerabilities. - A LFI vulnerability when restoring malformed block backups....

BIT-MASTODON-2025-27399 Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" localized English string: "To logged-in users", users that are not yet approved can view the block reasons. Instance admins...

CTFd 安全漏洞

CTFd is a Capture The Flag framework open-sourced by CTFd. A security vulnerability exists in CTFd versions 2.0.0 through 3.7.2, which stems from a lack of privilege modification that allows an authenticated user to retrieve a list of users who have resolved a challenge, regardless of account...

Meinberg LANTIME Information Disclosure (CVE-2018-10836)

Other logged-in users were visible to info users and admin users through the function 'logged in users'. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc. include'compat.inc'; if description...

Octopus Server 安全漏洞

Octopus Server is an automated deployment platform. A security vulnerability exists in Octopus Server versions prior to 2022.2.7934 and prior to 2022.3.9163, which stems from the ability of an unauthorized created user to view all users, user roles, and permissions...

BIT-DISCOURSE-2021-43792 Notifications leak in Discourse

Discourse is an open source discussion platform. In affected versions a vulnerability affects users of tag groups who use the "Tags are visible only to the following groups" feature. A tag group may only allow a certain group e.g. staff to view certain tags. Users who were tracking or watching th...