38 matches found
Access Control Bypass
Overview Affected versions of this package are vulnerable to Access Control Bypass in the organization permission APIs due to insufficient visibility checks for hidden members and private organizations. An attacker can access private visibility information by querying these APIs. Remediation...
CVE-2026-25712
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations...
CVE-2026-25712
Gitea CVE-2026-25712 affects versions before 1.25.5. The issue is in the organization permission APIs (routers/api/v1/org) where visibility checks are insufficient, allowing an attacker to access private visibility information about hidden members and private organizations. The root cause is inad...
EUVD-2026-41622
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations...
CVE-2026-25712
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations...
CVE-2026-25712 Gitea organization permission APIs expose private visibility information
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations...
PT-2026-55593
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description Insufficient visibility checks exist within organization permission APIs, which may affect hidden members and private organizations. Recommendations Update to version 1.25.5 or later...
CVE-2026-47193
OpenProject (open-source web-based project management) contains a vulnerability in the journal diff endpoint that discloses hidden historical field values due to lack of object/field visibility enforcement. The issue is fixed in versions 17.3.3 and 17.4.1. Affected component: journal diff endpoin...
CVE-2026-40571 NamelessMC: Reactions on private or blocking profile posts can be modified without proper authorization
NamelessMC is website software for Minecraft servers. In version 2.2.4, core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. This means that authenticated low-privileged users can add reactions to private...
CVE-2026-41659
Admidio is an open-source user management solution. Prior to version 5.0.9, the member assignment DataTables endpoint membersassignmentdata.php includes hidden profile fields BIRTHDAY, STREET, CITY, POSTCODE, COUNTRY in its SQL search condition regardless of field visibility settings. While the...
EUVD-2026-21128
OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where sessionstatus resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked...
CVE-2026-35636
OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where sessionstatus resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked...
CVE-2026-32619
Discourse vulnerability CVE-2026-32619 affects the poll feature when a user loses access to a topic in private categories. Versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0 allow such users to interact with polls (vote and togg...
BIT-DISCOURSE-2026-27934 Discourse leaks private topic title and post excerpt via user action API endpoint
Discourse is an open-source discussion platform. Versions prior to 2026.3.0, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions 2026.3.0...
CVE-2026-27934
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions...
EUVD-2026-13341
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have two authorization issues in the chat direct message API. First, when creating a direct message channel or adding users to an existing one, the targetgroups parameter was passed direct...
CVE-2026-27934 Discourse leaks private topic title and post excerpt via user action API endpoint
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 have a lack of visibility checks with a user action API endpoint that results in disclosure of the title and post excerpt to unauthorized users, leading to information disclosure. Versions...
CVE-2026-27934
Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 expose topic titles and post excerpts through a user action API endpoint to unauthorized users due to missing visibility checks. The issue enables information disclosure with a CVSS 4.0 base score of 8.7 (HIGH) and no user inte...
PT-2026-26370
Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse, an open-source discussion platform, is affected by an information disclosure issue. A lack of...
BIT-DISCOURSE-2026-27021 Discourse: Poll voters endpoint lacked post visibility checks
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the voters endpoint in the poll plugin lacked post visibility checks which allowed unauthorized access to voters details of polls in any post. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the...