Medium
CVSS: 6.3
OpenClaw versions prior to 2026.2.22 with the optional BlueBubbles plugin contain an access control bypass vulnerability where empty allowFrom configuration causes dmPolicy pairing and allowlist restrictions to be ineffective. Remote attack…
Low
CVSS: 3.8
Mattermost versions 10.11.x
High
CVSS: 7.7
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escala…
Medium
CVSS: 4.3
Mattermost versions 11.3.x
High
CVSS: 7.4
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the tok…
Medium
CVSS: 4.3
Mattermost versions 11.3.x
Low
CVSS: 3.1
Mattermost versions 10.11.x
Medium
CVSS: 4.3
Mattermost versions 11.3.x
Low
CVSS: 2.7
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path,…
Low
CVSS: 3.8
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other sur…
Medium
CVSS: 6.6
Mattermost versions 11.3.x
Medium
CVSS: 4.8
Improper authorization in Settings prior to SMR Mar-2026 Release 1 allows local attacker to disable configuring the background data usage of application.
Medium
CVSS: 4.1
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An insufficient authorization check in the file replace API allows a user with only list visibility permission (UserPermListOtherU…
Medium
CVSS: 6.5
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can…
High
CVSS: 7.7
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, whi…
Low
CVSS: 2.3
Copyparty is a portable file server. Prior to 1.20.12, there was a missing permission-check in the shares feature (the shr global-option). This vulnerability only applies when the shares feature is used for the specific purpose of creating…
High
CVSS: 7.6
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise) but is called without await in both the POST and PUT…
High
CVSS: 8.9
Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store…
Medium
CVSS: 6.5
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before th…
Medium
CVSS: 4.3
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member.…