Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the logs and stats API actions in the RoutineViewSet process. An attacker can access another user's private workout session notes, exercise history, and training statistics by enumerating public template routin...

CVE-2026-28503 Tandoor Recipes has Cross-Space IDOR in SyncViewSet.query_synced_folder: missing space scoping on get_object_or_404

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the SyncViewSet.querysyncedfolder action in cookbook/views/api.py line 903 fetches a Sync object using getobjector404Sync, pk=pk without including space=request.space i...

CVE-2026-27835

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user...

CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...

CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...

CVE-2026-27457 Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Weblate is a web based localization tool. Prior to version 5.16.1, the REST API's AddonViewSet weblate/api/views.py, line 2831 uses queryset = Addon.objects.all without overriding getqueryset to scope results by user permissions. This allows any authenticated user or anonymous users if REQUIRELOG...

Missing Authorization

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Missing Authorization in the AddonViewSet API, which allows unauthorized users to access add-on configuration data. An attacker can obtain...

Weblate: Missing access control for the AddonViewSet API exposes all addon configurations

Impact Users were able to obtain add-on configuration via API. Patches https://github.com/WeblateOrg/weblate/pull/18107 https://github.com/WeblateOrg/weblate/pull/18164 References Weblate thanks @lighthousekeeper1212 for responsible disclosure...

CVE-2025-14089 Himool ERP AdminActionViewSet update_account improper authorization

A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function updateaccount of the file /api/admin/updateaccount/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is public...

PT-2025-49250

A vulnerability was identified in Himool ERP up to 2.2. Affected by this issue is the function update account of the file /api/admin/update account/ of the component AdminActionViewSet. Such manipulation leads to improper authorization. The attack may be performed from remote. The exploit is...

CVE-2024-32882

Wagtail is an open source content management system built on Django. In affected versions if a model has been made available for editing through the wagtail.contrib.settings module or ModelViewSet, and the permission argument on FieldPanel has been used to further restrict access to one or more...

GHSA-W2V8-PHP4-P8HC Wagtail has permission check bypass when editing a model with per-field restrictions through `wagtail.contrib.settings` or `ModelViewSet`

Impact If a model has been made available for editing through the wagtail.contrib.settings module or ModelViewSet, and the permission argument on FieldPanel has been used to further restrict access to one or more fields of the model, a user with edit permission over the model but not the specific...

PT-2024-24938 · Wagtail · Wagtail

Name of the Vulnerable Software and Affected Versions: Wagtail versions prior to 6.0.3 and 6.1 Description: In affected versions, if a model has been made available for editing through the wagtail.contrib.settings module or ModelViewSet, and the permission argument on FieldPanel has been used to...