Search Results (5723 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-35148 2026-07-16 6.3 Medium
HCL DFXServer is affected by a Missing Access Control vulnerability. This vulnerability states that certain endpoints are accessible without any form of authentication in another browser. This allows any network user to invoke these APIs and interact with the application without verification of their identity or authorization level.
CVE-2026-10750 2026-07-16 8.1 High
The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users with a low-privileged role such as Subscriber to read private content, enumerate all users and their roles, and create, modify, or delete content owned by other users.
CVE-2026-21044 1 Samsung Mobile 1 Samsung Mobile Devices 2026-07-16 N/A
Improper authorization in KnoxGuardManager prior to SMR Jul-2026 Release 1 allows local attackers to bypass the persistence configuration of the application.
CVE-2026-11964 2026-07-16 9.1 Critical
The User Registration & Membership WordPress plugin before 5.2.2 does not verify the authenticity of incoming payment-provider webhook notifications before acting on them, allowing unauthenticated attackers to forge a payment-approved event and activate a paid membership subscription without completing a real payment.
CVE-2026-11563 2026-07-16 9.6 Critical
The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php).
CVE-2026-13936 1 Google 1 Chrome 2026-07-16 6.5 Medium
Inappropriate implementation in Passwords in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-14034 1 Google 1 Chrome 2026-07-15 4.3 Medium
Inappropriate implementation in WebXR in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
CVE-2026-46485 1 Lissy93 1 Dashy 2026-07-15 8.2 High
Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8.
CVE-2026-47164 1 Dani-garcia 1 Vaultwarden 2026-07-15 7.7 High
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO login flow checked the IdP email_verified claim only for new-user creation and not when SSO_SIGNUPS_MATCH_EMAIL=true linked an IdP identity to an existing local account, allowing an attacker-controlled IdP identity asserting a victim email address to bind to and authenticate as that account. This issue is fixed in version 1.36.0.
CVE-2026-55116 2026-07-15 9 Critical
A malicious actor with access to the network and under certain network configurations could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.
CVE-2026-20150 2026-07-15 8.8 High
As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities. The vulnerabilities tracked by CVE-2026-20150 are related to improper access control that are grouped under the Common Weakness Enumeration (CWE) Pillar CWE-284.
CVE-2026-46817 1 Oracle 2 E-business Suite, Payments 2026-07-15 9.8 Critical
Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVE-2026-58617 1 Microsoft 2 365 Copilot Ios, 365 Copilot Ios 2026-07-15 8.1 High
Improper access control in Microsoft 365 Copilot for iOS allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-50342 1 Microsoft 3 Windows 11 24h2, Windows 11 25h2, Windows 11 26h1 2026-07-15 8.8 High
Improper access control in Windows MIDI Service Module allows an authorized attacker to elevate privileges locally.
CVE-2025-63579 1 Kyocera 1 Command Center Rx 2026-07-15 7.5 High
Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported. The security measure that encrypts incoming data ian be bypassed with this vulnerability, allowing encrypted data to be decrypted. Passwords and other sensitive information can be obtained. This affects Kyocera Command Center RX TASKalfa 2552ci, TASKalfa 3252ci, TASKalfa 2553ci, TASKalfa 3253ci, TASKalfa 3554ci, TASKalfa 4052ci, TASKalfa 5052ci, TASKalfa 6052ci, TASKalfa 7052ci, TASKalfa 8052ci, TASKalfa 7353ci, TASKalfa 8353ci, TASKalfa 2554ci, TASKalfa 3254ci, TASKalfa 505.
CVE-2026-55014 1 Microsoft 1 Windows-remote-help 2026-07-15 7.8 High
Improper access control in Windows Remote Help Defense allows an authorized attacker to elevate privileges locally.
CVE-2026-50335 1 Microsoft 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more 2026-07-15 7.8 High
Improper access control in Windows Operating Systems allows an authorized attacker to elevate privileges locally.
CVE-2026-50418 1 Microsoft 5 Windows 11 24h2, Windows 11 25h2, Windows 11 26h1 and 2 more 2026-07-15 5.1 Medium
Improper access control in Windows System allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-50495 1 Microsoft 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more 2026-07-15 6.1 Medium
Improper access control in Microsoft Windows DNS allows an authorized attacker to perform tampering locally.
CVE-2026-13800 1 Google 1 Chrome 2026-07-15 7.8 High
Inappropriate implementation in Updater in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)