CVE-2026-32117

The grafanacubism-panel plugin allows use of cubism.js in Grafana. In 0.1.2 and earlier, the panel's zoom-link handler passes a dashboard-editor-supplied URL directly to window.location.assign / window.open with no scheme validation. An attacker with dashboard Editor privileges can set the link t...

Shopify: Access to Employee calendar disclosing internal presentation and meetings

Summary During a school research, we found out that some Shopify employees have their google calendar set to public. This discloses some sensitive informations: New hire information due to onsite interviews Internal presentation we found at least one internal presentation that we could access Zoo...