| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Missing Authorization in the server management routes (routes/admin.php) in Azuriom Azuriom CMS before 1.2.11 on all platforms allows an authenticated attacker with the admin.access permission to create AzLink server tokens and take over non-admin user accounts by changing their passwords and email addresses via crafted HTTP requests to /admin/servers/create and the AzLink API endpoints (/api/azlink/password, /api/azlink/email, /api/azlink/user/{id}). |
| Missing Authorization vulnerability in Shareaholic allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Shareaholic: from n/a through 9.7.11. |
| Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue. |
| Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions. |
| Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions. |
| Author Broken Access Control in W3 Total Cache <= 2.9.1 versions. |
| Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions. |
| Subscriber Broken Access Control in Bricks Builder <= 2.1.4 versions. |
| Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions. |
| Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions. |
| Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Integrate Google Drive: from n/a through 1.3.8. |
| Missing Authorization vulnerability in Avirtum iPages Flipbook allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects iPages Flipbook: from n/a through 1.5.1. |
| The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request |
| Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions. |
| Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions. |
| A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.
We have already fixed the vulnerability in the following version:
QuMagie 2.9.0 and later |
| A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions.
We have already fixed the vulnerability in the following version:
QuMagie 2.9.0 and later |
| An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions.
We have already fixed the vulnerability in the following version:
File Station 5 5.5.6.5243 and later |
| OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input. |
| OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session. |
