Export limit exceeded: 11054 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11054 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-49385 | 1 Jetbrains | 1 Youtrack | 2026-06-01 | 6.5 Medium |
| In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts | ||||
| CVE-2023-23445 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2026-06-01 | 7.5 High |
| Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to gain unauthorized access to data fields by using a therefore unpriviledged account via the REST interface. | ||||
| CVE-2023-23446 | 1 Sick | 14 Ftmg-esd15axx, Ftmg-esd15axx Firmware, Ftmg-esd20axx and 11 more | 2026-06-01 | 7.5 High |
| Improper Access Control in SICK FTMg AIR FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526 allows an unprivileged remote attacker to download files by using a therefore unpriviledged account via the REST interface. | ||||
| CVE-2023-1114 | 1 Eskom | 1 E-belediye | 2026-06-01 | 9.8 Critical |
| Missing Authorization vulnerability in Eskom e-Belediye allows Information Elicitation. This issue affects e-Belediye: from 1.0.0.95 before 1.0.0.100. | ||||
| CVE-2026-8382 | 2026-06-01 | 5.3 Medium | ||
| The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request. | ||||
| CVE-2026-9791 | 1 Redhat | 2 Build Keycloak, Keycloak | 2026-05-30 | 4.3 Medium |
| A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers. | ||||
| CVE-2018-25391 | 1 Sitejo | 1 Hape Pkh | 2026-05-30 | 7.5 High |
| HaPe PKH 1.1 fails to enforce authorization on its record deletion endpoints, allowing unauthenticated attackers to delete arbitrary records by sending a crafted request that specifies the target record's id. The admin/modul/mod_pengurus/aksi_pengurus.php (module=pengurus&act=hapus) and admin/modul/mod_update/aksi_update.php (module=update&act=hapus) endpoints process deletions without verifying the requester's privileges, enabling removal of pengurus (administrator) and update records. | ||||
| CVE-2026-47745 | 1 Shopperlabs | 1 Shopper | 2026-05-30 | 6.5 Medium |
| Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0. | ||||
| CVE-2026-42726 | 2 Strategy11, Wordpress | 2 Awp Classifieds, Wordpress | 2026-05-30 | 6.5 Medium |
| Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5. | ||||
| CVE-2026-49052 | 2 Wordpress, Wpmet | 2 Wordpress, Elementskit Elementor Addons | 2026-05-30 | 4.3 Medium |
| Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. | ||||
| CVE-2026-49053 | 2 Wordpress, Wpmet | 2 Wordpress, Elementskit Elementor Addons | 2026-05-30 | 5.3 Medium |
| Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. | ||||
| CVE-2026-4290 | 2 Wordpress, Wp Travel | 2 Wordpress, Wp Travel | 2026-05-30 | 9.1 Critical |
| The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators. | ||||
| CVE-2026-44794 | 2 Nautobot, Networktocode | 2 Nautobot, Nautobot | 2026-05-30 | 5.4 Medium |
| Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, in the case of inter-object references via GenericForeignKey (a pattern allowing an object to reference another object that may belong to one of several different "content types" or database tables), when creating or updating an object containing a GenericForeignKey, Nautobot's REST API failed to enforce user "view" permissions when determining whether a given reference to another object would be valid. This vulnerability is fixed in 2.4.33 and 3.1.2. | ||||
| CVE-2026-9091 | 1 Casdoor | 1 Casdoor | 2026-05-29 | 5.3 Medium |
| Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this path is logged in without MFA enforcement. | ||||
| CVE-2026-35673 | 1 Openclaw | 1 Openclaw | 2026-05-29 | 6.5 Medium |
| OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can bypass private-network SSRF policies by reusing blocked tabs to export or inspect content that should remain protected. | ||||
| CVE-2026-46823 | 1 Oracle | 1 Public Sector Financials | 2026-05-29 | 7.7 High |
| Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Public Sector Financials (International). While the vulnerability is in Oracle Public Sector Financials (International), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). | ||||
| CVE-2026-3660 | 1 Ibm | 1 Engineering Lifecycle Management | 2026-05-29 | 9.8 Critical |
| IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application. | ||||
| CVE-2026-32905 | 1 Openclaw | 1 Openclaw | 2026-05-29 | 8.3 High |
| OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without proper scope validation. Attackers with chat command access can create setup codes to enroll devices with operator/node capabilities, granting persistent credentials until manual removal. | ||||
| CVE-2026-3117 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-05-29 | 6.5 Medium |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600 | ||||
| CVE-2026-6342 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-05-29 | 4.3 Medium |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601 | ||||