CVE-2026-47713 AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user - multi-user migration even when the device record has userId = null. In...

CVE-2025-61781 GraphQL IDOR allows authenticated user to delete workspace content of other users

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.1, the GraphQL mutation "WorkspacePopoverDeletionMutation" allows users to delete workspace-related objects such as dashboards and investigation cases. However, the mutation...

Stored Cross-Site Scripting (XSS)

Jenkins AnchorChain Plugin is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper validation of URL schemes when generating links from workspace content, allowing attackers to inject javascript: URLs that execute malicious scripts in the Jenkins user interface...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to allowing the javascript: URL scheme for links created based on workspace content. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into...

Slack: CSV export/import functionality allows administrators to modify member and message content of a workspace

On August 6th, 2022 @security-warrior submitted a report in HackerOne to Slack regarding the CSV export/import functionality primarily used by administrators to merge workspaces. The report centers on the ability of an administrator to modify an export to change user or message content. Upon...