๐จ CVE-2026-55670
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.
๐@cveNotify
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.
๐@cveNotify
GitHub
fix(eventstore): allow overwriting resource owner of events (#12261) ยท zitadel/zitadel@a939b84
# Which Problems Are Solved
- The eventstore did not support intentionally overwriting the resource
owner when creating events for aggregates that may be reused across
owners.
- Resource owner han...
- The eventstore did not support intentionally overwriting the resource
owner when creating events for aggregates that may be reused across
owners.
- Resource owner han...
๐จ CVE-2026-55671
ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2.
๐@cveNotify
ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to loopback, internal IP, link-local, or redirected endpoints through DNS rebinding, redirects, or protocol downgrades. This issue is fixed in version 4.15.2.
๐@cveNotify
GitHub
fix: use protected http client for outgoing connections ยท zitadel/zitadel@b6f7808
# Which Problems Are Solved
Backchannel logout, notification webhooks and SAML metadata URL fetches are vulnerable to SSRF attacks: the attacker can set any URL as backchannel logout URL, potentia...
Backchannel logout, notification webhooks and SAML metadata URL fetches are vulnerable to SSRF attacks: the attacker can set any URL as backchannel logout URL, potentia...
๐จ CVE-2026-55672
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2.
๐@cveNotify
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refresh tokens to be exchanged under a different client. This issue is fixed in versions 3.4.12 and 4.15.2.
๐@cveNotify
GitHub
fix: client_id verification during code exchange and refresh token flows ยท zitadel/zitadel@5624030
(cherry picked from commit 0973b074b48816757c47fe732b06d2488d3d284c)
๐จ CVE-2026-56664
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.
๐@cveNotify
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens from a trusted issuer to pass authentication. This issue is fixed in versions 3.4.12 and 4.15.2.
๐@cveNotify
GitHub
fix: always validate exp and iat claims of JWT IdPs ยท zitadel/zitadel@4925fab
# Which Problems Are Solved
JWT IdPs only validated the issued_at (`iat`) and expiration (`exp`) claim if set in the token. Especially in combination, this can lead to tokens being accepted endles...
JWT IdPs only validated the issued_at (`iat`) and expiration (`exp`) claim if set in the token. Especially in combination, this can lead to tokens being accepted endles...
๐จ CVE-2026-56665
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.
๐@cveNotify
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips expiration handling when an incoming token omits the exp claim, allowing a token from a trusted issuer to be treated as valid without an automatic expiration window. This issue is fixed in versions 3.4.12 and 4.15.2.
๐@cveNotify
GitHub
fix: always validate exp and iat claims of JWT IdPs ยท zitadel/zitadel@4925fab
# Which Problems Are Solved
JWT IdPs only validated the issued_at (`iat`) and expiration (`exp`) claim if set in the token. Especially in combination, this can lead to tokens being accepted endles...
JWT IdPs only validated the issued_at (`iat`) and expiration (`exp`) claim if set in the token. Especially in combination, this can lead to tokens being accepted endles...
๐จ CVE-2026-56666
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.
๐@cveNotify
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive provider account with a victim email address to be linked to the victim's local account. This issue is fixed in version 4.15.3.
๐@cveNotify
GitHub
fix: ensure external user's email is verified before auto-linking ยท zitadel/zitadel@c97012f
# Which Problems Are Solved
When auto-linking an external user by email, only the internal user's email was checked to be verified, but not the one from the IdP. This could potentially lea...
When auto-linking an external user by email, only the internal user's email was checked to be verified, but not the one from the IdP. This could potentially lea...
๐จ CVE-2026-56668
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3.
๐@cveNotify
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's scopes, allowing a low-privilege token to be exchanged for elevated permissions at another application. This issue is fixed in version 4.15.3.
๐@cveNotify
GitHub
fix: added client and scope validation for token exchange ยท zitadel/zitadel@e2886a6
# Which Problems Are Solved
The OAuth2 Token Exchange endpoint (RFC 8693) in Zitadel's OIDC package does not validate that the subject token belongs to the requesting client before issuing...
The OAuth2 Token Exchange endpoint (RFC 8693) in Zitadel's OIDC package does not validate that the subject token belongs to the requesting client before issuing...
๐จ CVE-2026-57474
Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attackerโs reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
๐@cveNotify
Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attackerโs reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
๐@cveNotify
๐จ CVE-2026-57475
Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. These additions were not used by the system. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
๐@cveNotify
Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. These additions were not used by the system. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
๐@cveNotify
๐จ CVE-2026-57476
Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into the retrieval-augmented generation (RAG) corpus. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
๐@cveNotify
Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into the retrieval-augmented generation (RAG) corpus. On 2026-03-25, AI Assist for Customer restricted network access and enforced authentication for the previously exposed endpoints.
๐@cveNotify
๐จ CVE-2026-0273
A command injection vulnerability in Palo Alto Networks PAN-OSยฎ software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prismaยฎ Access are not affected by this vulnerability.
๐@cveNotify
A command injection vulnerability in Palo Alto Networks PAN-OSยฎ software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management web interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prismaยฎ Access are not affected by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0273 PAN-OS: Authenticated Admin Command Injection Vulnerability via CLI or Web UI
A command injection vulnerability in Palo Alto Networks PAN-OSยฎ software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to e...
๐จ CVE-2026-59709
Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.
๐@cveNotify
Ghostfolio's PUT /api/v1/portfolio/holding/:dataSource/:symbol/tags endpoint fails to verify Access.permissions field when processing the Impersonation-Id header, allowing read-only access grantees to modify portfolio holding tags. Attackers with valid read-only share tokens can assign or remove tags on victim holdings, corrupting portfolio categorization and reports.
๐@cveNotify
GitHub
GitHub - ghostfolio/ghostfolio: Open Source Wealth Management Software. Angular + NestJS + Prisma + Nx + TypeScript ๐ค
Open Source Wealth Management Software. Angular + NestJS + Prisma + Nx + TypeScript ๐ค - ghostfolio/ghostfolio
๐จ CVE-2026-59708
The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.
๐@cveNotify
The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings, quantities, buy prices, and performance metrics without authentication.
๐@cveNotify
GitHub
GitHub - ghostfolio/ghostfolio: Open Source Wealth Management Software. Angular + NestJS + Prisma + Nx + TypeScript ๐ค
Open Source Wealth Management Software. Angular + NestJS + Prisma + Nx + TypeScript ๐ค - ghostfolio/ghostfolio
๐จ CVE-2026-37270
Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.
๐@cveNotify
Trueview Security camera T18161- AF v4.9.60.0 contains an authentication bypass vulnerability caused by improper password validation and the presence of hard-coded credentials in the firmware.
๐@cveNotify
GitHub
CVE/CVE-2026-37270/CVE-2026-37270.pdf at main ยท EmbdCDACHyd/CVE
Research repository focused on security vulnerabilities (CVEs) in IoT devices, firmware, communication protocols, and embedded systems. - EmbdCDACHyd/CVE
๐จ CVE-2026-37271
Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearby device to trigger functionality on the smartwatch.
๐@cveNotify
Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearby device to trigger functionality on the smartwatch.
๐@cveNotify
GitHub
CVE/CVE-2026-37271/CVE-2026-37271.pdf at main ยท EmbdCDACHyd/CVE
Research repository focused on security vulnerabilities (CVEs) in IoT devices, firmware, communication protocols, and embedded systems. - EmbdCDACHyd/CVE
๐จ CVE-2026-50810
A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service
๐@cveNotify
A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service
๐@cveNotify
Gist
gist:0c67bf67a268ff8861100bfc132e801c
GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2026-56362
ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability in GetPixelIndex caused by OpenPixelCache updating image channel metadata before pixel cache memory allocation. Attackers can trigger memory and disk allocation failures to cause a heap-buffer-overflow read affecting any writer calling GetPixelIndex.
๐@cveNotify
ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability in GetPixelIndex caused by OpenPixelCache updating image channel metadata before pixel cache memory allocation. Attackers can trigger memory and disk allocation failures to cause a heap-buffer-overflow read affecting any writer calling GetPixelIndex.
๐@cveNotify
GitHub
Heap-buffer-overflow read in GetPixelIndex due to metadata-cache desynchronization in OpenPixelCache
`OpenPixelCache` updates image channel metadata **before** attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer t...
๐จ CVE-2026-59262
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.
๐@cveNotify
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.
๐@cveNotify
GitHub
GitHub - toeverything/AFFiNE: There can be more than Notion and Miro. AFFiNE(pronounced [ษโfain]) is a next-gen knowledge baseโฆ
There can be more than Notion and Miro. AFFiNE(pronounced [ษโfain]) is a next-gen knowledge base that brings planning, sorting and creating all together. Privacy first, open-source, customizable an...
๐จ CVE-2026-59880
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
๐@cveNotify
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
๐@cveNotify
GitHub
perf(Map): index large hash-collision buckets for faster lookups ยท immutable-js/immutable-js@3dd7e56
Backport of the hash-collision DoS fix to the 4.x line. Large
HashCollisionNode buckets now build a per-process seeded secondary index
(hashCollisionKey) instead of scanning linearly, restoring nea...
HashCollisionNode buckets now build a per-process seeded secondary index
(hashCollisionKey) instead of scanning linearly, restoring nea...
๐จ CVE-2026-59879
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.
๐@cveNotify
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.
๐@cveNotify
GitHub
Merge commit from fork ยท immutable-js/immutable-js@a1a1ee4
fix(List): guard oversized bounds in setListBounds
๐จ CVE-2026-60102
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
๐@cveNotify
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
๐@cveNotify
GitHub
fix(vfs): quote smbclient arguments to prevent command injection (CVEโฆ ยท horde/Vfs@41f74b4
โฆ-2026-60102)
Harden Horde_Vfs_Smb against crafted resource names. It previously only neutralised
';' and '\' but not $(...), backticks, newlines as attack vectors....
Harden Horde_Vfs_Smb against crafted resource names. It previously only neutralised
';' and '\' but not $(...), backticks, newlines as attack vectors....