VYPR

Omnidocs

by Newgensoft

CVEs (7)

  • CVE-2025-69907HigJan 23, 2026
    risk 0.49cvss 7.5epss 0.01

    An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal…

  • CVE-2024-39033HigFeb 6, 2025
    risk 0.49cvss 7.5epss 0.00

    In Newgensoft OmniDocs 11.0_SP1_03_006, Insecure Direct Object Reference (IDOR) in the getuserproperty function allows user's configuration and PII to be stolen.

  • CVE-2026-5414MedApr 2, 2026
    risk 0.34cvss 5.3epss 0.00

    A security flaw has been discovered in Newgen OmniDocs up to 12.0.00. Affected by this issue is some unknown functionality of the file /omnidocs/WebApiRequestRedirection. The manipulation of the argument DocumentId results in improper control of resource identifiers. The attack…

  • CVE-2026-5413LowApr 2, 2026
    risk 0.24cvss 3.7epss 0.00

    A vulnerability was identified in Newgen OmniDocs up to 12.0.00. Affected by this vulnerability is an unknown functionality of the file /omnidocs/GetWebApiConfiguration. The manipulation of the argument connectionDetails leads to information disclosure. The attack is possible to…

  • CVE-2011-3645Sep 27, 2011
    risk 0.03cvss epss 0.03

    Newgen OmniDocs allows remote attackers to bypass intended access restrictions via (1) a modified FolderRights parameter to doccab/doclist.jsp, which leads to arbitrary permission changes; or (2) a modified UserIndex parameter to doccab/userprofile/editprofile.jsp, which selects…

  • CVE-2010-0701Feb 23, 2010
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in ForceChangePassword.jsp in Newgen Software OmniDocs allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2025-65742Dec 15, 2025
    risk 0.00cvss epss 0.00

    An unauthenticated Broken Function Level Authorization (BFLA) vulnerability in Newgen OmniDocs v11.0 allows attackers to obtain sensitive information and execute a full account takeover via a crafted API request.