Security vulnerabilities I have responsibly disclosed. All findings were reported to the affected vendors and patched before public disclosure.
| CVE / ID | Product | Summary | Severity | Date | References |
|---|---|---|---|---|---|
| CVE-2026-48088 | OpenReception | unauthenticated staff crypto poisoning breaks E2E recipient directory | Critical (9.4) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48087 | OpenReception | WebAuthn passkey injection allows account takeover | Critical (9.8) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48086 | OpenReception | tenant admin self-promotes to GLOBAL_ADMIN |
Critical (9.9) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48085 | OpenReception | unauthenticated GLOBAL_ADMIN account creation post-bootstrap |
Critical (9.8) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48084 | OpenReception | passphrase login attempts are not rate-limited | High (7.4) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48083 | OpenReception | unauthenticated POST /api/log accepts arbitrary content with CRLF injection and no size or rate limits |
Moderate (6.5) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48082 | OpenReception | bootstrap challenge proof-of-work difficulty hardcoded to 16 bits enables abuse rate amplification | Low (3.7) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48081 | OpenReception | stored click-triggered XSS via javascript: tenant links rendered into patient-facing footer |
High (8.1) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48080 | OpenReception | tenant detail endpoint discloses live PostgreSQL connection string, superuser-scoped in the tested official deployment | High (8.0) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48079 | OpenReception | logout page clears local access_token before server-side revocation, leaving duplicated tokens valid until expiry |
High (7.4) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48078 | OpenReception | schedule endpoint discloses isPublic=false channels and slot availability to unauthenticated callers |
Moderate (5.3) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48077 | OpenReception | GET appointment by ID returns full appointment record without authorization | Moderate (5.3) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48076 | OpenReception | bootstrap booking flow allows unauthenticated booking on isPublic=false channels |
Moderate (6.5) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48075 | OpenReception | unauthenticated add-to-tunnel endpoint accepts arbitrary appointment injections |
Moderate (6.5) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48074 | OpenReception | staff deletion removes pending invites cross-tenant by email match | Low (2.7) | 2026-05-20 | CVE, GHSA |
| CVE-2026-48071 | OpenReception | client PIN challenge throttle is keyed by emailHash only, allowing cross-tenant lockout |
Moderate (5.8) | 2026-05-20 | CVE, GHSA |
| CVE-2026-6965 | Tutor LMS WordPress Plugin | insecure direct object reference leading to authenticated arbitrary post deletion via course GET parameter |
Moderate (5.3) | 2026-05-12 | CVE, Wordfence |
| CVE-2026-34782 | Zammad | missing authorization in AI assistance controller for text tools | Moderate (5.3) | 2026-04-08 | CVE, GHSA, Blog post |
| CVE-2026-34837 | Zammad | missing authorization in AI assistance controller for context data used in text tools | Moderate (5.3) | 2026-04-08 | CVE, GHSA, Blog post |
| CVE-2026-34721 | Zammad | cross-site request forgery (CSRF) in OAuth callback endpoints | Moderate (5.9) | 2026-04-08 | CVE, GHSA |
| MSRC Acknowledgment | Microsoft Online Services | vulnerability in Microsoft Online Services | — | 2026-03-31 | MSRC Acknowledgements |
| CVE-2025-30201 | Wazuh | bypass of UNC path mitigation in Windows OSQuery via \\?\UNC\ | High (7.1) | 2025-03-17 | CVE, GHSA, Blog post |