Auth bypass in Tuist

CVE-2026-44678

Tuist is a virtual platform team for Swift app devs. In 1.180.8 and earlier, the DELETE /api/projects/{account_handle}/{project_handle}/previews/{preview_id} endpoint loads the preview by its UUID without verifying that the preview belongs…

Vulnerability class: IDOR (Insecure Direct Object Reference)

EPSS: 0.000 (13.5th percentile) — read the EPSS interpretation.