Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
3 vulnerabilities by papra
CVE-2026-35462 (GCVE-0-2026-35462)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:30 – Updated: 2026-04-07 17:54
VLAI?
Title
Papra Does Not Reject Expired API Keys
Summary
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0.
Severity ?
4.3 (Medium)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35462",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T17:53:54.846310Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T17:54:02.880Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "papra",
"vendor": "papra-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 26.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key \u2014 regardless of its expiration date \u2014 is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:30:17.479Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-866c-mc22-wvv5"
}
],
"source": {
"advisory": "GHSA-866c-mc22-wvv5",
"discovery": "UNKNOWN"
},
"title": "Papra Does Not Reject Expired API Keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35462",
"datePublished": "2026-04-07T14:30:17.479Z",
"dateReserved": "2026-04-02T19:25:52.193Z",
"dateUpdated": "2026-04-07T17:54:02.880Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35461 (GCVE-0-2026-35461)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:28 – Updated: 2026-04-09 14:41
VLAI?
Title
Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL
Summary
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0.
Severity ?
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35461",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T14:41:10.311428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:41:13.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "papra",
"vendor": "papra-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 26.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to registered URLs, including localhost, internal network ranges, and cloud provider metadata endpoints, on every document event. This vulnerability is fixed in 26.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:28:42.063Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-cjw7-qg95-58mq"
}
],
"source": {
"advisory": "GHSA-cjw7-qg95-58mq",
"discovery": "UNKNOWN"
},
"title": "Papra has a Blind Server-Side Request Forgery (SSRF) via Webhook URL"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35461",
"datePublished": "2026-04-07T14:28:42.063Z",
"dateReserved": "2026-04-02T19:25:52.193Z",
"dateUpdated": "2026-04-09T14:41:13.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35460 (GCVE-0-2026-35460)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:26 – Updated: 2026-04-07 15:59
VLAI?
Title
Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name
Summary
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0.
Severity ?
4.3 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35460",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T15:13:13.038044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T15:59:07.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "papra",
"vendor": "papra-hq",
"versions": [
{
"status": "affected",
"version": "\u003c 26.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have those tags injected into the verification and password reset email bodies. Since emails are sent from the legitimate domain (e.g: auth@mail.papra.app), this enables convincing phishing attacks that appear to originate from official Papra notifications. This vulnerability is fixed in 26.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:26:52.943Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/papra-hq/papra/security/advisories/GHSA-6f8x-2rc9-vgh4"
}
],
"source": {
"advisory": "GHSA-6f8x-2rc9-vgh4",
"discovery": "UNKNOWN"
},
"title": "Papra has an HTML Injection in Transactional Emails via Unescaped User Display Name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35460",
"datePublished": "2026-04-07T14:26:52.943Z",
"dateReserved": "2026-04-02T19:25:52.193Z",
"dateUpdated": "2026-04-07T15:59:07.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}