ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check

Summary GET /api/namespaces/:tenant returns the full namespace object — including the members list user IDs, e-mails, roles, settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope. The handler conditionally skips the...

PT-2026-38314

Name of the Vulnerable Software and Affected Versions ShellHub versions prior to 0.24.2 Description An issue exists where the endpoint "/api/devices/:uid" returns the full device object to any authenticated user without verifying if the device belongs to the caller's namespace tenant. An...

CVE-2025-11945

AFFiNE (toeverything) up to version 0.24.1 contains a cross-site scripting flaw in the Avatar Upload Image Endpoint due to manipulation of unknown code paths. The issue can be exploited remotely and a public exploit exists; vendor did not respond to disclosure. No remediation details are provided...

WordPress plugin Relocate Upload 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. A cross-site request forge...

PT-2021-18262 · Evm · Evm

Name of the Vulnerable Software and Affected Versions: evm versions prior to 0.21.1 evm versions prior to 0.23.1 evm versions prior to 0.24.1 evm versions prior to 0.25.1 evm versions prior to 0.26.1 Description: The issue is related to the execution of specific EVM opcodes that use evm...