VYPR
Vendor

Papra

Products
1
CVEs
4
Across products
4
Status
Private

Products

1

Recent CVEs

4
  • CVE-2026-35461MedApr 7, 2026
    risk 0.33cvss 5.0epss 0.00

    Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, the Papra webhook system allows authenticated users to register arbitrary URLs as webhook endpoints with no validation of the destination address. The server makes outbound HTTP POST requests to…

  • CVE-2026-35462MedApr 7, 2026
    risk 0.28cvss 4.3epss 0.00

    Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a…

  • CVE-2026-35460MedApr 7, 2026
    risk 0.28cvss 4.3epss 0.00

    Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, transactional email templates in Papra interpolate user.name directly into HTML without escaping or sanitization. An attacker who registers with a display name containing HTML tags will have…

  • CVE-2026-48051lowJun 10, 2026
    risk 0.00cvss epss 0.00

    ### Summary Papra's webhook delivery system contains an SSRF protection bypass that allows any authenticated organisation member to cause the server to make HTTP requests to internal addresses — loopback, link-local, and RFC-1918 ranges. The SSRF protection validates the…