๐จ CVE-2026-57945
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.
๐@cveNotify
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.
๐@cveNotify
GitHub
API: Reinforce user profile authorization checks ยท Issue #5619 ยท photoprism/photoprism
As a PhotoPrism admin, I want the authorization checks for the user profile endpoint to be reinforced so that non-admin account holders who are logged in cannot modify other users' informationa...
๐จ CVE-2026-57946
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
๐@cveNotify
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
๐@cveNotify
GitHub
fix: fix private invidious playlists on rss feeds from being fetched โฆ ยท iv-org/invidious@c435dc1
โฆwithout authentication (#5776)
๐จ CVE-2026-57947
Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.
๐@cveNotify
Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.
๐@cveNotify
GitHub
Webhook URL missing SSRF protection allows authenticated users to reach internal network resources ยท Issue #13857 ยท pinpoint-apm/pinpoint
Summary The Pinpoint web UI allows authenticated users to register alarm webhook URLs through the /api/webhook endpoint. The URL validation function checks only that the supplied string is a syntac...
๐จ CVE-2026-57948
Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.
๐@cveNotify
Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.
๐@cveNotify
GitHub
JWT session cookie missing HttpOnly and Secure attributes exposes session tokens to script access and plaintext transmission ยทโฆ
Summary When basicLogin mode is enabled, Pinpoint issues the JWT session token as a cookie named pinpointJwt. The cookie is created without the HttpOnly or Secure attributes. The absence of HttpOnl...
๐จ CVE-2026-57949
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.
๐@cveNotify
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.
๐@cveNotify
GitHub
fix(crm): ไฟฎๅค่ท่ฟ่ฎฐๅฝ่ฏฆๆ
่ถๆ่ฏปๅ ยท YunaiV/ruoyi-vue-pro@c779a47
่ท่ฟ่ฎฐๅฝ่ฏฆๆ
ๆฅๅฃๆ id ๆฅ่ฏขๅ๏ผๅขๅ ๅ
ณ่ CRM ไธๅกๅฏน่ฑก็ READ ๆ้ๆ ก้ช๏ผ
้ฟๅ ็จๆท้่ฟ่ชๅข id ่ถๆ่ฏปๅๅ ถไป็จๆท็่ท่ฟ่ฎฐๅฝใ
Fixes: https://github.com/YunaiV/ruoyi-vue-pro/issues/1159
้ฟๅ ็จๆท้่ฟ่ชๅข id ่ถๆ่ฏปๅๅ ถไป็จๆท็่ท่ฟ่ฎฐๅฝใ
Fixes: https://github.com/YunaiV/ruoyi-vue-pro/issues/1159
๐จ CVE-2026-57950
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.
๐@cveNotify
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.
๐@cveNotify
GitHub
fix(erp): ไฟฎๅค้ๅฎ่ฎขๅ่ฏฏ็จ้ๅฎๅบๅบๆ้ ยท YunaiV/ruoyi-vue-pro@5d1fd70
ๅฐ ErpSaleOrderController ็ๆ้ๆ ่ฏไป erp:sale-out:* ไฟฎๆญฃไธบ
erp:sale-order:*๏ผ้ฟๅ ๆฅๆ้ๅฎๅบๅบๆ้็็จๆท่ถๆ่ฎฟ้ฎ้ๅฎ่ฎขๅๆฅๅฃใ
Fixes: https://github.com/YunaiV/ruoyi-vue-pro/issues/1161
erp:sale-order:*๏ผ้ฟๅ ๆฅๆ้ๅฎๅบๅบๆ้็็จๆท่ถๆ่ฎฟ้ฎ้ๅฎ่ฎขๅๆฅๅฃใ
Fixes: https://github.com/YunaiV/ruoyi-vue-pro/issues/1161
๐จ CVE-2026-57951
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.
๐@cveNotify
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.
๐@cveNotify
GitHub
addressing issues #563 #564 and #565 ยท its-a-feature/Mythic@82648e8
A collaborative, multi-platform, red teaming framework - addressing issues #563 #564 and #565 ยท its-a-feature/Mythic@82648e8
๐จ CVE-2026-57953
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
๐@cveNotify
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
๐@cveNotify
GitHub
addressing issues #563 #564 and #565 ยท its-a-feature/Mythic@82648e8
A collaborative, multi-platform, red teaming framework - addressing issues #563 #564 and #565 ยท its-a-feature/Mythic@82648e8
๐จ CVE-2026-57954
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
๐@cveNotify
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
๐@cveNotify
GitHub
Read permission not enforced on client-supplied sort expressions (incomplete fix of CVE-2020-5289) ยท Issue #3415 ยท yahoo/elide
Summary Elide enforces @ReadPermission on client-supplied filter expressions (the fix for CVE-2020-5289), but it does NOT enforce @ReadPermission on client-supplied sort expressions. A caller can s...
๐จ CVE-2026-57955
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.
๐@cveNotify
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.
๐@cveNotify
GitHub
[security] clickhouse SQL Injection via Unvalidated Rule ID in Alert History Endpoints ยท Issue #11747 ยท SigNoz/signoz
(emailed on 23 may and 6 june - no responses) There's a potential SQL injection vulnerability in two alert history API endpoints that affects all authenticated users. The POST /api/v1/rules/{id...
๐จ CVE-2026-57956
SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.
๐@cveNotify
SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.
๐@cveNotify
GitHub
[security] cross-organization IDOR on alert rules (read/edit/delete by UUID, no org scoping) ยท Issue #11830 ยท SigNoz/signoz
(I've reported the following cross-org IDOR via email on 13 June 2026 with no response) The rule store predicates (pkg/ruler/rulestore/sqlrulestore/rule.go) filter on id only: GetStoredRule (~1...
๐จ CVE-2026-57957
Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.
๐@cveNotify
Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that silently issue credentialed cross-origin requests to upload arbitrary files into victim datarooms and read credentialed responses.
๐@cveNotify
GitHub
White-box bug bounty: task-whitebox-papermark by AstoKr ยท Pull Request #1 ยท AstoKr/papermark
White-Box Bug Bounty Findings
Findings Summary โ Papermark
Workflow: whitebox-bug-finder
Target: papermark (worktree task-whitebox-papermark)
Date: 2026-06-19
Scope: All findings/*.md (28 VALID) + ...
Findings Summary โ Papermark
Workflow: whitebox-bug-finder
Target: papermark (worktree task-whitebox-papermark)
Date: 2026-06-19
Scope: All findings/*.md (28 VALID) + ...
๐จ CVE-2026-57958
Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.
๐@cveNotify
Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash messages via the Vue v-html directive to hijack authenticated user sessions or perform unauthorized actions.
๐@cveNotify
GitHub
Reflected XSS via OAuth Callback Error Parameter in Mixpost ยท Issue #204 ยท inovector/mixpost
Steps to reproduce the problem (reported via email on 24 May and followed up on 6 June - no response) Mixpost's OAuth callback controller reflects a user-supplied error query parameter directly...
๐จ CVE-2026-57959
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.
๐@cveNotify
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.
๐@cveNotify
GitHub
๐ Promo Code Max-Usage Limit Bypass in Hi.Events (Async Counter Race Condition) ยท Issue #1223 ยท HiEventsDev/Hi.Events
(reported via email on 24 May - no response) I am reporting a vulnerability in Hi.Events (develop branch, v1.8.0-beta) that allows any user to bypass promo code max-usage limits, enabling unlimited...
๐จ CVE-2026-57960
Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.
๐@cveNotify
Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.
๐@cveNotify
GitHub
๐ Unauthenticated Attendee PII Exposure via Public Check-In List Endpoint ยท Issue #1224 ยท HiEventsDev/Hi.Events
(reported via email on 24 May - no response) I am reporting a vulnerability in Hi.Events (develop branch, v1.8.0-beta) that exposes attendee personally identifiable information (PII) to anyone who ...
๐จ CVE-2021-27722
An issue was discovered in Nsasoft US LLC SpotAuditor 5.3.5. The program can be crashed by entering 300 bytes char data into the "Key" or "Name" field while registering.
๐@cveNotify
An issue was discovered in Nsasoft US LLC SpotAuditor 5.3.5. The program can be crashed by entering 300 bytes char data into the "Key" or "Name" field while registering.
๐@cveNotify
Exploit Database
Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC).. dos exploit for Windows platform
๐จ CVE-2021-47814
NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability.
๐@cveNotify
NBMonitor 1.6.8 contains a denial of service vulnerability that allows attackers to crash the application by overflowing the registration code input field. Attackers can paste a 256-character buffer into the registration key field to trigger an application crash and potential system instability.
๐@cveNotify
NSAuditor
Network Security Audit Software โ AI Scanner | NSAuditor
AI-powered network security audit software. Verified vulnerabilities, MITRE ATT&CK mapping, and SOC 2 / HIPAA / PCI DSS / ISO 27001 / CIS evidence โ on your own infrastructure. Free download.
๐จ CVE-2020-37131
Nsauditor Product Key Explorer 4.2.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting a specially crafted registration key. Attackers can generate a payload of 1000 bytes of repeated characters and paste it into the 'Key' input field to trigger the application crash.
๐@cveNotify
Nsauditor Product Key Explorer 4.2.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting a specially crafted registration key. Attackers can generate a payload of 1000 bytes of repeated characters and paste it into the 'Key' input field to trigger the application crash.
๐@cveNotify
NSAuditor
Network Security Audit Software โ AI Scanner | NSAuditor
AI-powered network security audit software. Verified vulnerabilities, MITRE ATT&CK mapping, and SOC 2 / HIPAA / PCI DSS / ISO 27001 / CIS evidence โ on your own infrastructure. Free download.
๐จ CVE-2020-37196
Dnss Domain Name Search Software contains a denial of service vulnerability that allows attackers to crash the application by providing an oversized registration key. Attackers can generate a 1000-character buffer payload and paste it into the registration key field to trigger an application crash.
๐@cveNotify
Dnss Domain Name Search Software contains a denial of service vulnerability that allows attackers to crash the application by providing an oversized registration key. Attackers can generate a 1000-character buffer payload and paste it into the registration key field to trigger an application crash.
๐@cveNotify
NSAuditor
Network Security Audit Software โ AI Scanner | NSAuditor
AI-powered network security audit software. Verified vulnerabilities, MITRE ATT&CK mapping, and SOC 2 / HIPAA / PCI DSS / ISO 27001 / CIS evidence โ on your own infrastructure. Free download.
๐จ CVE-2020-37197
Dnss Domain Name Search Software contains a denial of service vulnerability that allows attackers to crash the application by overflowing the 'Name' input field. Attackers can generate a 1000-character buffer payload and paste it into the registration name field to trigger an application crash.
๐@cveNotify
Dnss Domain Name Search Software contains a denial of service vulnerability that allows attackers to crash the application by overflowing the 'Name' input field. Attackers can generate a 1000-character buffer payload and paste it into the registration name field to trigger an application crash.
๐@cveNotify
NSAuditor
Network Security Audit Software โ AI Scanner | NSAuditor
AI-powered network security audit software. Verified vulnerabilities, MITRE ATT&CK mapping, and SOC 2 / HIPAA / PCI DSS / ISO 27001 / CIS evidence โ on your own infrastructure. Free download.
๐จ CVE-2020-37199
NBMonitor 1.6.6.0 contains a denial of service vulnerability in its registration key input that allows attackers to crash the application. Attackers can generate a 1000-character buffer payload and paste it into the 'Key' field to trigger an application crash.
๐@cveNotify
NBMonitor 1.6.6.0 contains a denial of service vulnerability in its registration key input that allows attackers to crash the application. Attackers can generate a 1000-character buffer payload and paste it into the 'Key' field to trigger an application crash.
๐@cveNotify
NSAuditor
Network Security Audit Software โ AI Scanner | NSAuditor
AI-powered network security audit software. Verified vulnerabilities, MITRE ATT&CK mapping, and SOC 2 / HIPAA / PCI DSS / ISO 27001 / CIS evidence โ on your own infrastructure. Free download.