CVEs

List of my CVES

24 published entries

CVE-2026-58410 ChurchCRM High

Family-scoped API endpoints trusted attacker-controlled family IDs, letting low-privileged users read and create notes on unrelated family records.

July 3, 2026
CVE-2026-56826 Shopper Moderate

Missing function-level authorization on Settings Livewire actions let low-privileged users delete tax, zone, shipping, and carrier configuration used by checkout.

July 2, 2026
CVE-2026-14358 MediaWiki Charts Extension Moderate

Stored XSS in Wikimedia chart pie tooltips allowed Data namespace field titles to reach the ECharts HTML tooltip renderer.

July 2, 2026
CVE-2026-54717 SilverStripe CMS Moderate

Stored XSS in page list view breadcrumbs let attacker-controlled page titles execute in the SilverStripe CMS admin interface.

June 24, 2026
CVE-2026-50539 Xibo CMS Moderate

Missing object-level authorization on notification export let any authenticated user download arbitrary notification attachments by iterating IDs.

June 22, 2026
CVE-2026-54562 Cloudreve Moderate

Non-admin users granted remote download permission could make Cloudreve fetch loopback and internal URLs, then read the imported response body from their own files.

June 21, 2026
CVE-2026-54256 Winter CMS Moderate

The backend FileUpload widget trusted posted file IDs globally, letting any authenticated backend user target unrelated attachment records and modify metadata or ordering.

June 21, 2026

A CRUD delete helper precedence bug let real HTTP DELETE requests bypass failed validation, leading to runtime-confirmed cross-organisation galaxy deletion.

June 21, 2026
CVE-2026-55383 InvoiceShelf High

Public customer document tokens could cross company boundaries through EmailLog type confusion, and JSON endpoints kept accepting expired tokens.

June 17, 2026
CVE-2026-54258 ZoneMinder Moderate

Direct event media endpoints let low-privileged users fetch private snapshots, frames, videos, and HLS media from monitors they were denied access to.

June 13, 2026
CVE-2026-53634 Sharp Moderate

Quick Creation Command endpoints missed create authorization checks and let authenticated Sharp users bypass create permission on configured entities.

June 10, 2026
CVE-2026-53521 Nezha Moderate

A stored future DDNS profile ID could later resolve to another user profile and be consumed by the DDNS worker in attacker server context.

June 10, 2026
CVE-2026-49355 OpenProject Moderate

The single meeting agenda item API disclosed private work package data from a linked work package in an inaccessible project.

June 8, 2026
CVE-2026-50199 Wallos Moderate

Cross-user Fixer/API Layer credential consumption in exchange-rate refresh let one user trigger provider-backed actions through another user's stored credential.

June 5, 2026
CVE-2026-50198 Wallos Moderate

Cross-user subscription cost inference via replacement_subscription_id let an authenticated user infer another user subscription cost through unscoped stats dereferencing.

June 5, 2026
CVE-2026-48067 Filament Moderate

Inconsistent scope enforcement for AttachAction and AssociateAction Select fields let out-of-scope records pass through backend validation.

May 25, 2026
CVE-2026-47755 ITFlow Moderate

Authenticated cross-tenant credential disclosure exposed another client secrets through an unprotected credential modal.

May 25, 2026
CVE-2026-47745 Shopper Moderate

Payment methods, currencies, and carriers exposed inline toggles and record actions without proper per-action authorization checks.

May 22, 2026
CVE-2026-47744 Shopper Critical

Team settings authorization defects let authenticated panel users take over the RBAC system itself.

May 22, 2026
CVE-2026-47743 Shopper High

Multiple admin Livewire issues led to data tampering, sensitive data disclosure, and stored XSS.

May 22, 2026
CVE-2026-47742 Shopper Moderate

Product editor sub-form Livewire components accepted unauthorized store actions and allowed tampering without the required permission.

May 22, 2026
CVE-2026-47741 Shopper Moderate

A discount race condition enabled silent over-redemption and effectively bypassed the per-user usage limit.

May 22, 2026
CVE-2026-47740 Shopper High

Missing authorization on order mutation actions let low-privileged authenticated users mutate order state without the required write permission.

May 22, 2026
CVE-2026-44692 Sharp High

A generic download endpoint let authenticated users use one valid record as an authorization anchor to download unrelated Laravel Storage objects.

May 8, 2026