Export limit exceeded: 342293 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (7286 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1786 | 2 Badbreze, Wordpress | 2 Twitter Posts To Blog, Wordpress | 2026-02-11 | 6.5 Medium |
| The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including Twitter API credentials, post author, post status, and the capability required to access the plugin's admin menu. | ||||
| CVE-2026-1833 | 2 Sm Rasmy, Wordpress | 2 Wamate Confirm – Order Confirmation, Wordpress | 2026-02-11 | 5.3 Medium |
| The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators. | ||||
| CVE-2025-13391 | 2 Moomoo, Wordpress | 2 Product Options And Price Calculation Formulas For Woocommerce – Uni Cpo (premium), Wordpress | 2026-02-11 | 5.8 Medium |
| The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60. | ||||
| CVE-2026-25806 | 2 Praskla-technology, Prasklatechnology | 2 Assessment-placipy, Placipy | 2026-02-11 | 6.5 Medium |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not verify whether the authenticated user owns the student record being accessed, has an administrative / staff role, or is permitted to modify or delete the target student. | ||||
| CVE-2026-25810 | 2 Praskla-technology, Prasklatechnology | 2 Assessment-placipy, Placipy | 2026-02-11 | 9.1 Critical |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). | ||||
| CVE-2026-25876 | 2 Praskla-technology, Prasklatechnology | 2 Assessment-placipy, Placipy | 2026-02-11 | 9.1 Critical |
| PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment. | ||||
| CVE-2025-70983 | 2 Bladex, Springblade Project | 2 Springblade, Springblade | 2026-02-11 | 9.9 Critical |
| Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | ||||
| CVE-2025-52024 | 1 Aptsys | 2 Gemscms Backend, Pos Platform Web Services | 2026-02-11 | 9.4 Critical |
| A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | ||||
| CVE-2026-25538 | 1 Devtron | 1 Devtron | 2026-02-11 | 8.8 High |
| Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26. | ||||
| CVE-2026-24777 | 2 Openproject, Opf | 2 Openproject, Openproject | 2026-02-11 | 6.7 Medium |
| OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2. | ||||
| CVE-2024-4259 | 2 Sambas, Sampas Holding | 2 Akos, Akos | 2026-02-11 | 9.8 Critical |
| Missing Authorization vulnerability in SAMPAŞ Holding AKOS (AkosCepVatandasService), SAMPAŞ Holding AKOS (TahsilatService) allows Collect Data as Provided by Users. This issue affects AKOS (AkosCepVatandasService): before V2.0; AKOS (TahsilatService): before V1.0.7. | ||||
| CVE-2024-21417 | 1 Microsoft | 15 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 12 more | 2026-02-10 | 8.8 High |
| Windows Text Services Framework Elevation of Privilege Vulnerability | ||||
| CVE-2026-0845 | 2 Wclovers, Wordpress | 2 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible, Wordpress | 2026-02-10 | 7.2 High |
| The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2026-0817 | 2 Mediawiki, Wikimedia | 3 Mediawiki, Campaignevents, Mediawiki-campaignevents Extension | 2026-02-10 | 5.3 Medium |
| Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39. | ||||
| CVE-2025-15289 | 1 Tanium | 2 Interact, Service Interact | 2026-02-10 | 3.1 Low |
| Tanium addressed an improper access controls vulnerability in Interact. | ||||
| CVE-2025-15330 | 1 Tanium | 2 Deploy, Service Deploy | 2026-02-10 | 8.8 High |
| Tanium addressed an improper input validation vulnerability in Deploy. | ||||
| CVE-2025-15327 | 1 Tanium | 2 Deploy, Service Deploy | 2026-02-10 | 4.3 Medium |
| Tanium addressed an improper access controls vulnerability in Deploy. | ||||
| CVE-2025-15326 | 1 Tanium | 2 Patch, Service Patch | 2026-02-10 | 4.3 Medium |
| Tanium addressed an improper access controls vulnerability in Patch. | ||||
| CVE-2025-14895 | 2 Roxnor, Wordpress | 2 Popup Builder With Gamification, Multi-step Popups, Page-level Targeting, And Woocommerce Triggers, Wordpress | 2026-02-10 | 5.4 Medium |
| The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics. | ||||
| CVE-2026-1722 | 2 Wclovers, Wordpress | 2 Wcfm Marketplace – Multivendor Marketplace For Woocommerce, Wordpress | 2026-02-10 | 5.3 Medium |
| The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings. | ||||