BIT-DISCOURSE-2026-26973 Discourse doesn't scope reviewable notes to user-visible reviewables

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR Insecure Direct Object Reference in ReviewableNotesController. When enablecategorygroupmoderation is enabled, a user belonging to a category moderation group can create or delete thei...

CVE-2026-26973

Summary: CVE-2026-26973 affects Discourse before versions 2025.12.2, 2026.1.1, and 2026.2.0, where an IDOR in the ReviewableNotesController allows a user in a category moderation group to create or delete notes on any reviewable when enable_category_group_moderation is on. Root cause: unscoped Re...

EUVD-2026-8878

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR Insecure Direct Object Reference in ReviewableNotesController. When enablecategorygroupmoderation is enabled, a user belonging to a category moderation group can create or delete thei...

CVE-2026-26973 Discourse doesn't scope reviewable notes to user-visible reviewables

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR Insecure Direct Object Reference in ReviewableNotesController. When enablecategorygroupmoderation is enabled, a user belonging to a category moderation group can create or delete thei...

CVE-2026-26973

Discourse is an open source discussion platform. Versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 have an IDOR Insecure Direct Object Reference in ReviewableNotesController. When enablecategorygroupmoderation is enabled, a user belonging to a category moderation group can create or delete thei...

XWiki OIDC Authenticator: Users with "view" access can create tokens for any users they can view

Impact Anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user since users are very commonly viewable, at least to other registered users. Patches Version 2.18.2...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization for the CSV download process. An attacker can access sensitive information from arbitrary database tables in the user's web mounts. Notes: - This vulnerability is limited to database records that fell within the pa...

CVE-2023-34466

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.0-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, tags from pages not viewable to the current user are leaked by the tags API. This information can also...

Information disclosure

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.0-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, tags from pages not viewable to the current user are leaked by the tags API. This information can also...

XWiki Platform 信息泄露漏洞

XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the XWiki Foundation in France. An information disclosure vulnerability exists in xwiki-platform-tag-api versions 5.0-milestone-1 through 14.4.8, 14.10.4 and earlier, and 15.0-rc-1 and earlier, which stem...

GHSA-7F2F-PCV3-J2R7 XWiki Platform's tags on non-viewable pages can be revealed to users

Impact Tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-viewable pages. Patches This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1. Workarounds There is no workaround...

Default credentials

In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory. NOTE: this is a product from 2006...

GHSA-HM57-4QPX-F734 Credentials transmitted in plain text by Jenkins DeployHub Plugin

DeployHub Plugin stores credentials in job config.xml files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by DeployHub Plugin 8.0.14 and earlier. These credentials could be viewed by users wit...

CVE-2021-40087

An issue was discovered in PrimeKey EJBCA before 7.6.0. When audit logging changes to the alias configurations of various protocols that use an enrollment secret, any modifications to the secret were logged in cleartext in the audit log that can only be viewed by an administrator. This affects us...

CVE-2012-1157

Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default...

CVE-2012-1157

Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default...

CVE-2012-1157

CVE-2012-1157 concerns Moodle prior to 2.2.2, where a default repository capabilities issue causes all repositories to be viewable by all users. Connected documents confirm the affected condition (default permissions affecting repositories) and identify Moodle versions affected. The root cause is...

FileMaker server issue where PHP source code may be viewable

Overview FileMaker server contains an issue where PHP source code may be viewable when Custom Web Publishing with PHP is enabled. Atsushi Matsuo of Emic Corporation reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

Apache Server-Status Publicly Viewable on Top Sites

A vast number of websites ranging from obscure to quite popular have left an Apache Web server functionality called server-status enabled and publicly accessible. The care-less implementation of this module, Securi CTO Daniel Cid warns in a write-up on Securiblog, could give potential attackers...

Can not UPDATE the "Viewable By" field of an issue

After the creation of an issue it is by default viewable by "All Users". It is not possible to change the value after re-editing that issue. After changing it and clicking the "Update" button, the viewable by entry stays "All Users"...