Skip to main content
CVE-2026-33877 LOW PATCH GHSA Monitor

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.

Information Disclosure Node.js
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-21727 LOW PATCH Monitor

--- title: Cross-Tenant Legacy Correlation Disclosure and Deletion draft: false hero: image: /static/img/heros/hero-legal2.svg content: "# Cross-Tenant Legacy Correlation Disclosure and Deletion" date: 2026-01-29 product: Grafana severity: Low cve: CVE-2026-21727 cvss_score: "3.3" cvss_vector: "CVSS:3.3/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N" fixed_versions: - ">=11.6.11 >=12.0.9 >=12.1.6 >=12.2.4" --- A cross-tenant isolation vulnerability was found in Grafana’s Correlations feature affecting legacy correlation records. Due to a backward compatibility condition allowing org_id = 0 records to be returned across organizations, a user with datasource management privileges could read and permanently delete legacy correlation data belonging to another organization. This issue affects correlations created prior to Grafana 10.2 and is fixed in >=11.6.11, >=12.0.9, >=12.1.6, and >=12.2.4. Thanks to Gyu-hyeok Lee (g2h) for reporting this vulnerability.

Information Disclosure Grafana
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-33212 LOW PATCH GHSA Monitor

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so exploiting this is unlikely with the default API rate limits. This issue has been fixed in version 5.17.

Authentication Bypass Weblate
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-6313 LOW PATCH Monitor

Insufficient policy enforcement in CORS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-6312 LOW PATCH Monitor

Insufficient policy enforcement in Passwords in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Authentication Bypass Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-40947 LOW PATCH Monitor

Untrusted DLL search path vulnerability in Yubico libfido2 before 1.17.0, python-fido2 before 2.2.0, and yubikey-manager before 5.9.1 allows local attackers to achieve privilege escalation or code execution by placing a malicious DLL in a directory searched before the legitimate library location. The vulnerability requires local access and high complexity conditions but affects three widely-used FIDO2 authentication libraries; no public exploit code identified at time of analysis.

Information Disclosure Python
NVD
CVSS 3.1
2.9
EPSS
0.0%
CVE-2025-52641 LOW Monitor

HCL AION allows local attackers with high privileges to explore internal filesystem structures through certain system behaviors, potentially disclosing information about the underlying environment that could facilitate further targeted attacks. The vulnerability requires local access, high privileges, and user interaction to trigger, with a CVSS score of 2.9 reflecting low immediate risk. No public exploit code or active exploitation has been identified.

Information Disclosure Aion
NVD
CVSS 3.1
2.9
EPSS
0.0%
CVE-2026-27769 LOW PATCH Monitor

Mattermost versions 10.11.0 through 10.11.12 fail to validate workspace ownership during Connected Workspaces API interactions, allowing a malicious remote server with high privileges to modify the displayed status of local users. This affects organizations using the Connected Workspaces federation feature and requires an attacker to already possess high administrative privileges on a connected remote instance. The vulnerability has CVSS 2.7 (low severity) and no public exploit code or active exploitation has been identified.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-12141 LOW Monitor

In Grafana's alerting system, users with edit permissions for a contact point, specifically the permissions “alert.notifications:write” or “alert.notifications.receivers:test” that are granted as part of the fixed role "Contact Point Writer", which is part of the basic role Editor - can edit contact points created by other users, modify the endpoint URL to a controlled server. By invoking the test functionality, attackers can capture and extract redacted secure settings, such as authentication credentials for third-party services (e.g., Slack tokens). This leads to unauthorized access and potential compromise of external integrations.

Authentication Bypass Information Disclosure Grafana
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy