Export limit exceeded: 361804 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1886 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46311 | 1 Gvectors | 1 Wpdiscuz | 2026-04-28 | 2.7 Low |
| Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3. | ||||
| CVE-2023-41796 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2026-04-28 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0. | ||||
| CVE-2023-38513 | 1 Meowapps | 1 Photo Engine | 2026-04-28 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through 6.2.5. | ||||
| CVE-2023-37871 | 1 Automattic | 1 Woocommerce Gocardless | 2026-04-28 | 8.2 High |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6. | ||||
| CVE-2023-36520 | 1 Zackgrossbart | 1 Editorial Calendar | 2026-04-28 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12. | ||||
| CVE-2023-35916 | 1 Automattic | 1 Woopayments | 2026-04-28 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0. | ||||
| CVE-2023-35914 | 1 Automattic | 1 Woocommerce Subscriptions | 2026-04-28 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2. | ||||
| CVE-2023-35876 | 1 Automattic | 1 Woocommerce Square | 2026-04-28 | 8.1 High |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1. | ||||
| CVE-2023-32799 | 1 Woocommerce | 1 Shipping Multiple Addresses | 2026-04-28 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3. | ||||
| CVE-2023-32747 | 1 Automattic | 1 Woocommerce Bookings | 2026-04-28 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78. | ||||
| CVE-2023-23679 | 1 Jshelpdesk | 1 Jshelpdesk | 2026-04-28 | 4.6 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in JS Help Desk js-support-ticket allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JS Help Desk: from n/a through 2.7.7. | ||||
| CVE-2022-43450 | 1 Xwp | 1 Stream | 2026-04-28 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in XWP Stream.This issue affects Stream: from n/a through 3.9.2. | ||||
| CVE-2026-41372 | 1 Openclaw | 1 Openclaw | 2026-04-28 | 5.8 Medium |
| OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose browser state. | ||||
| CVE-2026-28747 | 1 Milesight | 82 Ms-c2964-rflpc, Ms-c2966-rflwpc, Ms-c2966-x12rlpc and 79 more | 2026-04-28 | 7.1 High |
| A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed. | ||||
| CVE-2026-6375 | 1 Spicejet | 1 Online Booking System | 2026-04-28 | N/A |
| A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and obtain associated passenger names. This flaw stems from missing authorization checks on an endpoint intended for authenticated profile access. | ||||
| CVE-2026-2028 | 2 Ckp267, Wordpress | 2 Maxiblocks Builder, Wordpress | 2026-04-28 | 5.3 Medium |
| The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators. | ||||
| CVE-2025-15626 | 1 Ribblr | 1 Crotchet And Knitting | 2026-04-28 | N/A |
| Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application | ||||
| CVE-2026-6810 | 2 Codepeople, Wordpress | 2 Booking Calendar Contact Form, Wordpress | 2026-04-28 | 5.3 Medium |
| The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar. | ||||
| CVE-2026-7144 | 1 1000projects | 1 Portfolio Management System Mca | 2026-04-28 | 4.3 Medium |
| A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | ||||
| CVE-2026-28736 | 1 Mattermost | 1 Focalboard | 2026-04-28 | 4.3 Medium |
| ** UNSUPPORTED WHEN ASSIGNED ** Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued. | ||||