ByteOS Network

tuist

Source -

CNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-44678

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-7.1||HIGH

EPSS-0.04% / 11.53%

7 Day CHG~0.00%

Published-14 May, 2026 | 20:41

Updated-16 May, 2026 | 01:03

Tuist: IDOR in preview deletion API allows cross-tenant deletion of any preview by UUID

Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs to the project resolved from the URL path. The route's project-level authorization plug (AuthorizationPlug, :preview) authorizes the caller against the project encoded in account_handle/project_handle — which the attacker controls — and then the action deletes whichever preview's UUID is supplied. The check therefore guards the wrong project.

Vendor-tuist

Product-tuist

CWE ID-CWE-639

Authorization Bypass Through User-Controlled Key

CVE-2026-44679

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-6.9||MEDIUM

EPSS-0.05% / 16.04%

7 Day CHG~0.00%

Published-14 May, 2026 | 20:40

Updated-15 May, 2026 | 18:05

Tuist: Forgot password flow lacks throttling for reset email delivery

Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes of unwanted email and consume downstream email delivery resources. This vulnerability is fixed in 1.180.10.

Vendor-tuist

Product-tuist

CWE ID-CWE-770

Allocation of Resources Without Limits or Throttling