Low
resolved
resolved
Private circle can be added to another circle via API despite visibility restriction
Bug reported by Dang Hung Vi was disclosed at May 8, 2026, 12:55 pm | Insecure Direct Object Reference (IDOR)
A vulnerability was discovered where private circles could be added to other circles via the API, despite visibility restrictions.
Low
resolved
resolved
Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner
Bug reported by 0x0.eth was disclosed at May 8, 2026, 11:08 am | Insecure Direct Object Reference (IDOR)
Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner.
Low
resolved
resolved
View-only guests could see deleted Collectives pages in the trashbin
Bug reported by _dha was disclosed at May 8, 2026, 8:35 am | Improper Access Control - Generic
A vulnerability was discovered where view-only guests could see deleted Collectives pages in the trashbin.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
