CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.07)
A vulnerability in Papermark up to version 0.22.0 is caused by a CORS misconfiguration, allowing unauthenticated remote attackers to perform credentialed cross-origin requests. Attackers exploit the TUS-based viewer upload endpoint that reflects arbitrary request Origins with Access-Control-Allow-Credentials set to true.
A vulnerability in SigNoz through version 0.130.1 allows authenticated users to access alert rules of other organizations by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. This enables bypassing multi-tenant access controls.
A SQL injection vulnerability in SigNoz through version 0.130.1 allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of alert-history endpoints. Attackers can read all stored traces, logs, and metrics, or abuse the url() function for server-side request forgery (SSRF).
Vulnerability in Elide through version 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
A vulnerability in Mythic before version 3.4.0.60 allows authenticated spectator-role users to bypass authorization and perform unauthorized write operations. Attackers can exploit the misconfigured eventing_import_automatic_webhook endpoint to create and delete automation workflows.
Mythic before version 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profile configuration including encryption keys and callback parameters.
A vulnerability in Mythic before version 3.4.0.60 is caused by a broken Hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.
A broken access control vulnerability in ruoyi-vue-pro through version 2026.05 (fixed in commit 5d1fd70) in ErpSaleOrderController allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting incorrect permission namespace enforcement. Attackers can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders.
A missing authorization vulnerability in the CRM module of ruoyi-vue-pro (up to version 2026.05, fixed in commit c779a47) exists in the GET /admin-api/crm/follow-up-record/get endpoint. Authenticated users can read any follow-up record by iterating sequential numeric IDs.
Pinpoint through version 3.1.0 contains an insecure session management vulnerability where the pinpointJwt session cookie lacks HttpOnly and Secure attributes. This allows attackers to access the cookie via JavaScript (document.cookie) and transmit it in cleartext over HTTP.
An SSRF vulnerability in Pinpoint through version 3.1.0 allows authenticated users to register internal URLs in the webhook registration endpoint due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to send POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.
A broken access control vulnerability in Invidious before version 2.20260626.0 allows unauthenticated attackers to retrieve private playlist contents via the RSS feed playlist endpoint. Attackers can supply a playlist ID to obtain the full playlist contents, owner email address, and associated video entries without authentication.
A broken access control vulnerability in PhotoPrism before version 260601-a7d098548 allows authenticated non-admin users to modify other users' profile information. The missing session-to-user identifier validation in the PUT users API endpoint enables attackers to overwrite another user's profile details without authorization.
A vulnerability in LibrePhotos before version 1.0.0 in the SetPhotosShared endpoint allows authenticated users to bypass ownership validation and grant themselves access to other users' private photos. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos.
LibreTranslate through version 1.9.7 has an IP spoofing vulnerability in the get_remote_address() function. An unauthenticated attacker can inject arbitrary values into the X-Forwarded-For header, bypassing per-IP rate limiting and flood bans.
Parseable before version 2.9.2 exposes webhook tokens and basic-auth credentials in cleartext via notification-target API endpoints due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets.
A vulnerability in Gorse before version 0.5.10 allows authentication bypass in the /api/dump and /api/restore endpoints. Unauthenticated attackers can exfiltrate the entire database containing personally identifiable information or completely overwrite the dataset.
A vulnerability in Teable before the June 15, 2026 build allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share metadata and read field values intended to be restricted from public view.
Modoboa before version 2.9.0 has an insecure direct object reference (IDOR) vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint. Domain administrators can change any user's password, including superadmins, leading to full account takeover.
A vulnerability in Nitter allows unauthenticated attackers to exploit the /video media proxy endpoint to send HTTP requests to any host reachable by the server, including cloud metadata services and internal network resources. The issue stems from missing validation of target URLs against Twitter/X domains and the use of a hardcoded default HMAC key.

