CVE-2026-41084 Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

Nextcloud 操作系统命令注入漏洞

Nextcloud is an open source, self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. An operating system command injection vulnerability exists in Nextcloud server, which stems from an unvalidated workflow scope of operation that results in the...

CVE-2022-46258

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability...

Authorization

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability...

PT-2023-14888 · Github · Github Enterprise Server

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.7 GitHub Enterprise Server versions 3.3 through 3.3.15 GitHub Enterprise Server versions 3.4 through 3.4.10 GitHub Enterprise Server versions 3.5 through 3.5.7 GitHub Enterprise Server versions 3.6...

CVE-2022-46258 Incorrect Authorization in GitHub Enterprise Server leads to Action Workflow modifications without Workflow Scope

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability...