Skip to main content

Papra

3 CVEs product

Monthly

CVE-2026-35462 MEDIUM PATCH This Month

Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to maintain indefinite access to protected endpoints. An attacker who obtains or retains a valid API key can continue authenticating even after the key's expiresAt timestamp has passed, enabling persistent unauthorized data access. This affects all Papra deployments using API key authentication without the 26.4.0 patch, though exploitation requires initial possession of a valid API key.

Information Disclosure Papra
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-35461 MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Papra document management platform prior to 26.4.0 allows authenticated users to register arbitrary webhook endpoints without URL validation, enabling the server to make HTTP POST requests to localhost, internal networks, and cloud metadata endpoints on document events. Attack requires valid user authentication and knowledge of internal network topology but can exfiltrate sensitive data from restricted network segments.

SSRF Papra
NVD GitHub
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-35460 MEDIUM PATCH This Month

Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactional email templates by registering with a display name containing HTML tags, enabling convincing phishing attacks through legitimate Papra email domains. The vulnerability affects verification and password reset emails, which are sent from official Papra domains, making socially engineered attacks highly credible. No public exploit code or active exploitation has been identified at time of analysis.

XSS Papra
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to maintain indefinite access to protected endpoints. An attacker who obtains or retains a valid API key can continue authenticating even after the key's expiresAt timestamp has passed, enabling persistent unauthorized data access. This affects all Papra deployments using API key authentication without the 26.4.0 patch, though exploitation requires initial possession of a valid API key.

Information Disclosure Papra
NVD GitHub
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) in Papra document management platform prior to 26.4.0 allows authenticated users to register arbitrary webhook endpoints without URL validation, enabling the server to make HTTP POST requests to localhost, internal networks, and cloud metadata endpoints on document events. Attack requires valid user authentication and knowledge of internal network topology but can exfiltrate sensitive data from restricted network segments.

SSRF Papra
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Papra document management platform versions prior to 26.4.0 allow authenticated attackers to inject HTML into transactional email templates by registering with a display name containing HTML tags, enabling convincing phishing attacks through legitimate Papra email domains. The vulnerability affects verification and password reset emails, which are sent from official Papra domains, making socially engineered attacks highly credible. No public exploit code or active exploitation has been identified at time of analysis.

XSS Papra
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy