Skip to content

Menu
  • Home
Menu

CVE-2026-62386 – Grav < 1.0.0-rc.16 Authentication Bypass via token URL Parameter

Posted on July 17, 2026

CVE ID :CVE-2026-62386 Published : July 17, 2026, 12:07 a.m. | 27 minutes ago Description :The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens through the ?token= URL query parameter on…

CVE-2026-62241 – clawvet < 0.7.5 Hard-coded JWT Secret Session Forgery

Posted on July 17, 2026

CVE ID :CVE-2026-62241 Published : July 17, 2026, 12:07 a.m. | 27 minutes ago Description :clawvet self-hosted API server (apps/api) before 0.7.5 hard-codes a fallback JWT secret (‘clawvet-dev-secret-change-me’) in auth.ts and ships it…

CVE-2026-62234 – Grav < 2.0.4 SSRF via Unrestricted cURL Protocols

Posted on July 17, 2026

CVE ID :CVE-2026-62234 Published : July 17, 2026, 12:07 a.m. | 27 minutes ago Description :Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to…

CVE-2026-62233 – grav-plugin-api < 1.0.6 Privilege Escalation via createApiKey

Posted on July 17, 2026

CVE ID :CVE-2026-62233 Published : July 17, 2026, 12:07 a.m. | 27 minutes ago Description :grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa, and disable2fa endpoints, allowing non-super api.users.write managers…

CVE-2026-62232 – Grav < 2.0.4 2FA Bypass via Secret Regeneration

Posted on July 17, 2026

CVE ID :CVE-2026-62232 Published : July 17, 2026, 12:07 a.m. | 27 minutes ago Description :Grav before 2.0.4 contains a two-factor authentication bypass vulnerability in the login plugin where the regenerate2FASecret task checks…

CVE-2026-55652 – Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unauthenticated full account takeover (incl. admin)

Posted on July 16, 2026

CVE ID :CVE-2026-55652 Published : July 15, 2026, 10:17 p.m. | 2 hours, 17 minutes ago Description :Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER_LOGIN_TRUSTED_IPS uses getRequestIp() in…

CVE-2026-55576 – MaaAssistantArknights: PR-title expression injection in release-preparation.yml

Posted on July 16, 2026

CVE ID :CVE-2026-55576 Published : July 15, 2026, 10:17 p.m. | 2 hours, 17 minutes ago Description :MaaAssistantArknights is a one-click tool for daily Arknights tasks. In the current dev-v2 workflow, .github/workflows/release-preparation.yml inlined attacker-controlled…

CVE-2026-55445 – Qinglong: Incomplete fix for CVE-2026-3965: Improper Authentication

Posted on July 16, 2026

CVE ID :CVE-2026-55445 Published : July 15, 2026, 10:17 p.m. | 2 hours, 17 minutes ago Description :Qinglong is a timed task management platform supporting Python3, JavaScript, Shell, and Typescript. Prior to 2.20.1, the…

CVE-2026-55234 – Wekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule)

Posted on July 16, 2026

CVE ID :CVE-2026-55234 Published : July 15, 2026, 10:17 p.m. | 2 hours, 17 minutes ago Description :Wekan is open source kanban built with Meteor. Prior to 9.37, Wekan DDP update allow rules in…

CVE-2026-54458 – AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin

Posted on July 16, 2026

CVE ID :CVE-2026-54458 Published : July 15, 2026, 10:17 p.m. | 2 hours, 17 minutes ago Description :WWBN AVideo is an open source video platform. Versions prior to 29.0 contain a stored DOM Cross-Site…

Posts pagination

1 2 … 112 Next

Site map

  • About Us
  • Privacy Policy
  • Terms & Conditions of Use
©2026 | Design: Newspaperly WordPress Theme