Export limit exceeded: 13511 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 11497 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11497 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57660 | 2026-06-26 | 5.3 Medium | ||
| Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions. | ||||
| CVE-2026-54835 | 2026-06-26 | 7.5 High | ||
| Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions. | ||||
| CVE-2026-2299 | 1 Mattermost | 1 Mattermost Google Drive Plugin | 2026-06-26 | 4.2 Medium |
| The Mattermost Google Drive plugin before version 1.1.0 fails to validate channel membership in the file creation endpoint, allowing authenticated users with a connected Google account to share Google Drive files to unauthorized private channels and disclose private channel membership. | ||||
| CVE-2026-57521 | 1 Bitwarden | 1 Server | 2026-06-26 | 4.3 Medium |
| Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data. | ||||
| CVE-2026-1869 | 2 Wordpress, Wpeverest | 2 Wordpress, User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | 2026-06-26 | 6.5 Medium |
| The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing validation checks in the confirm_payment() function in all versions up to, and including, 5.2.0. This makes it possible for unauthenticated attackers to bypass payment processing and activate paid memberships. | ||||
| CVE-2026-38329 | 1 Bludit | 1 Bludit Cms | 2026-06-26 | 9.8 Critical |
| Bludit CMS before version 3.18.4 allows Remote Code Execution (RCE) via the API Plugin. The POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and execute arbitrary code on the server. | ||||
| CVE-2026-39533 | 2 Wordpress, Wptasty | 2 Wordpress, Awp Classifieds | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions. | ||||
| CVE-2026-6964 | 2 J 3rk, Wordpress | 2 Video Conferencing With Zoom, Wordpress | 2026-06-26 | 5.3 Medium |
| The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation. | ||||
| CVE-2026-10831 | 1 Moxa | 2 Cn2600 Series, Nport 5600 Series | 2026-06-26 | N/A |
| A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network access can send crafted requests to disrupt serial communication for an active user session. | ||||
| CVE-2025-14272 | 1 Rockwellautomation | 1 Factorytalk Analytics Pavilionx | 2026-06-26 | N/A |
| A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions. | ||||
| CVE-2026-48776 | 1 Langchain-ai | 2 Langchain, Langchain-sdk | 2026-06-26 | 4.2 Medium |
| LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource operations. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to address a different resource (and potentially a different resource type) than the SDK method's call site indicates. In deployments where the SDK receives identifier values that originate from untrusted sources, this could result in unintended access, modification, or deletion of resources beyond the calling user's authorization scope. This issue is most consequential in deployments that forward end-user-supplied values directly into SDK identifier parameters without first validating them against an expected format (such as a UUID), and rely on URL-prefix-based authorization at an upstream layer (reverse proxy, edge gateway, WAF), where the authorization decision is made on the SDK call's intended path rather than on the final delivered request path. The issue has been fixed in version 0.3.15. | ||||
| CVE-2026-8383 | 2 Learnpress, Wordpress | 2 Learnpress, Wordpress | 2026-06-26 | 5.3 Medium |
| The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request | ||||
| CVE-2026-45436 | 2 Rain-task, Wordpress | 2 Wpbakery Page Builder, Wordpress | 2026-06-26 | 6.5 Medium |
| Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions. | ||||
| CVE-2026-54844 | 2 Checkview, Wordpress | 2 Checkview Automated Testing, Wordpress | 2026-06-26 | 7.5 High |
| Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions. | ||||
| CVE-2026-57429 | 2 Elightup, Wordpress | 2 Slim Seo, Wordpress | 2026-06-26 | 6.5 Medium |
| Contributor Broken Access Control in Slim SEO <= 4.6.2 versions. | ||||
| CVE-2026-48941 | 1 Getk2 | 1 K2 Extension For Joomla | 2026-06-26 | 6.5 Medium |
| The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/` | ||||
| CVE-2026-56768 | 1 Haiwen | 1 Seahub | 2026-06-26 | 8.8 High |
| Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees. | ||||
| CVE-2026-48969 | 2 Really-simple-plugins, Wordpress | 2 Really Simple Ssl, Wordpress | 2026-06-26 | 6.5 Medium |
| Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions. | ||||
| CVE-2025-64215 | 2 Stylemixthemes, Wordpress | 2 Masterstudy Lms, Wordpress | 2026-06-26 | 6.5 Medium |
| Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16. | ||||
| CVE-2026-39515 | 2 Stylemix, Wordpress | 2 Motors, Wordpress | 2026-06-26 | 6.5 Medium |
| Subscriber Broken Access Control in Motors < 1.4.107 versions. | ||||