Skip to main content

Monorepo

2 CVEs product

Monthly

CVE-2026-59262 HIGH PATCH This Week

Broken access control in AFFiNE (toeverything/AFFiNE monorepo) lets any authenticated workspace member read the edit history of documents they should not access by querying the GraphQL 'histories' field with an arbitrary document GUID. Because the resolver never checks Doc.Read permission, an attacker can enumerate private page timelines and harvest contributor user names, emails, and edit timestamps. No public exploit has been identified at time of analysis, but exploitation is trivial for any low-privileged member.

Authentication Bypass Monorepo
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2022-31529 CRITICAL POC Act Now

The cinemaproject/monorepo repository through 2021-03-03 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Path Traversal Monorepo
NVD GitHub
CVSS 3.1
9.3
EPSS
1.2%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken access control in AFFiNE (toeverything/AFFiNE monorepo) lets any authenticated workspace member read the edit history of documents they should not access by querying the GraphQL 'histories' field with an arbitrary document GUID. Because the resolver never checks Doc.Read permission, an attacker can enumerate private page timelines and harvest contributor user names, emails, and edit timestamps. No public exploit has been identified at time of analysis, but exploitation is trivial for any low-privileged member.

Authentication Bypass Monorepo
NVD GitHub VulDB
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

The cinemaproject/monorepo repository through 2021-03-03 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Path Traversal Monorepo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy