92 matches found
GHSA-X76W-8C62-48MG Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission
Summary A user with Control Panel access but without permission to view a target private asset can call assets/preview-thumb and receive preview HTML that contains a signed fallback transform link for that private asset. Details Root-cause analysis: 1. The endpoint accepts an attacker-controlled...
CVE-2026-14613 Keycloak-services: keycloak-services: keycloak: fgap v2 role groups endpoint discloses hidden group metadata without group view permission
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions FGAP v2 are turned on, an administrator who is allowed to see a specific "role" can...
CVE-2026-44735 OpenProject: Shares API Information Disclosure
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the viewsharedworkpackages permission. The authorization check operates at the project level onl...
PT-2026-52904
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.2 OpenProject versions prior to 17.4.0 Description An authorization flaw exists where the 'GET /api/v3/shares' endpoint returns share details for all work packages within a project to any user possessing the...
EUVD-2026-38178
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...
CVE-2026-9057
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available...
CVE-2026-35443
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...
CVE-2026-35443
NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...
Incorrect Authorization
Overview pimcore/pimcore is a content & product management framework CMS/PIM/E-Commerce. Affected versions of this package are vulnerable to Incorrect Authorization in the WordExport process. An attacker can access and export sensitive document content by exploiting insufficient object-level...
Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export
Summary The WordExport export flow only checks whether the current backend user has the feature permission wordexport. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view...
PT-2026-44158
Summary The WordExport export flow only checks whether the current backend user has the feature permission word export. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have view...
CVE-2026-8205 Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in Calendar Block since action_get_events does not check canView on the calendar
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since actiongetevents does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with...
EUVD-2026-31351
Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since actiongetevents does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with...
CVE-2026-9057
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available...
CVE-2026-9057
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available...
CVE-2026-9057 Security fix for Qlik Talend Administration Center URL access control vulnerability
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available...
CVE-2026-9057
The vulnerability CVE-2026-9057 affects Talend Administration Center and is a broken access control issue that allows a user with View permission to modify the Talend Studio update URL. Reported impact is high (CVSS 3.1: 8.2, Confidentiality/Integrity High, Availability None) with network attack ...
EUVD-2026-31061
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available...
CVE-2026-9057 Security fix for Qlik Talend Administration Center URL access control vulnerability
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available...
PT-2026-42106
Name of the Vulnerable Software and Affected Versions Talend Administration Center affected versions not specified Description A broken access control issue exists that allows a user with "View" permission to modify the Talend Studio update URL. Recommendations Apply the available patch to resolv...