cve-2026-58410 let low-privileged churchcrm users with editself access read and modify other families records by changing the familyId in API routes
cve-2026-50539 let any authenticated xibo cms user download arbitrary notification attachments through missing object-level authorization on notification export
cve-2026-54256 let any authenticated backend user in wintercms target unrelated attachment records through the backend fileupload widget
cve-2026-55383 let public customer document tokens cross company boundaries in invoiceshelf through emaillog type confusion and missing expiry checks
cve-2026-49355 exposed private work package data through the single meeting agenda item api in openproject
cve-2026-47755 let a low-privileged authenticated user pull another client credentials and totp secrets in itflow