Export limit exceeded: 357222 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (8120 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4986 | 2 Wordpress, Wpforms | 2 Wordpress, Wpforms | 2026-06-09 | 5.3 Medium |
| The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions. | ||||
| CVE-2026-39910 | 1 Stackit | 1 Iaas Api | 2026-06-09 | 9.8 Critical |
| STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT servers service-accounts endpoint to attach high-privileged service accounts and query the Instance Metadata Service to retrieve OAuth2 tokens, bypassing tenant boundaries and gaining unauthorized control over the entire organization environment. | ||||
| CVE-2026-10787 | 1 Devolutions | 1 Server | 2026-06-09 | 4.3 Medium |
| Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier | ||||
| CVE-2026-44754 | 1 Sap Se | 1 Odp Data Replication Apis | 2026-06-09 | 6.6 Medium |
| The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application. | ||||
| CVE-2026-4058 | 2 Wedevs, Wordpress | 2 User Frontend: Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration, Wordpress | 2026-06-09 | 4.3 Medium |
| The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators. | ||||
| CVE-2026-47349 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | ||||
| CVE-2026-47350 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3. | ||||
| CVE-2026-47351 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2. | ||||
| CVE-2026-26236 | 1 Qnap Systems | 1 Qumagie | 2026-06-09 | N/A |
| A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later | ||||
| CVE-2026-47352 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | ||||
| CVE-2026-49741 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Backend users with write access to the form_definition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations, re-enabling attack vectors originally addressed in TYPO3-CORE-SA-2018-003, including SQL injection and privilege escalation. This issue affects TYPO3 CMS versions 14.0.0-14.3.3. | ||||
| CVE-2026-11607 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | ||||
| CVE-2026-47343 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization restrictions. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0 through 11.5.50, 12.0.0 through 12.4.45, 13.0.0 through 13.4.30, and 14.0.0 through 14.3.2. | ||||
| CVE-2026-47346 | 1 Typo3 | 1 Typo3 | 2026-06-09 | N/A |
| Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers to escalate privileges by creating administrative backend user accounts. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.50, 12.0.0-12.4.45, 13.0.0-13.4.30 and 14.0.0-14.3.2. | ||||
| CVE-2026-46444 | 1 Flowiseai | 1 Flowise | 2026-06-08 | N/A |
| Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, all CRUD endpoints for OpenAI Assistants Vector Store have no authentication middleware and the route path /api/v1/openai-assistants-vector-store is not in WHITELIST_URLS. However, it is also not protected by the main auth middleware when accessed via API key — the route requires API key auth (not whitelisted), but no permission checks exist on any operation. This issue has been patched in version 3.1.2. | ||||
| CVE-2026-10855 | 1 Misp | 1 Misp | 2026-06-08 | 4.3 Medium |
| An authorization flaw existed in the MISP Event Template Importer overwrite workflow. When importing an event template in overwrite mode, the application checked whether a matching template already existed but did not verify that the importing user belonged to the organization that owned the existing template. As a result, an authenticated user with access to the template import functionality could forcibly overwrite an event template owned by another organization. Successful exploitation could allow unauthorized modification of another organization’s event template, potentially altering template structure, attributes, or metadata used for subsequent event creation or sharing workflows. Site administrators are not affected by this restriction, as they are explicitly allowed to overwrite templates across organizations. The issue was fixed by enforcing an ownership check before overwrite: non-site-admin users may only overwrite templates owned by their own organization. | ||||
| CVE-2026-7523 | 2 Alejo30, Wordpress | 2 Alba Board, Wordpress | 2026-06-07 | 4.3 Medium |
| The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to access arbitrary private alba_card post data, including title, description, assignee, due date, tags, and comments, that is intended to be restricted to Administrators and Editors. The handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode, making this exploitable by unauthenticated users who can access any such page. | ||||
| CVE-2026-8976 | 2 Themeisle, Wordpress | 2 Rss Aggregator By Feedzy – Feed To Post, Autoblogging, News & Youtube Video Feeds Aggregator, Wordpress | 2026-06-07 | 4.3 Medium |
| The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users. | ||||
| CVE-2026-9008 | 2 Webvitaly, Wordpress | 2 Page-list, Wordpress | 2026-06-07 | 4.3 Medium |
| The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it. | ||||
| CVE-2026-7624 | 2 Squirrly, Wordpress | 2 Seo Plugin By Squirrly Seo, Wordpress | 2026-06-07 | 4.3 Medium |
| The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to invoke privileged state-changing Squirrly cloud API operations, such as revoking the site's Google Search Console and Google Analytics integrations via `api/gsc/revoke` and `api/ga/revoke`, that are otherwise restricted to administrator-level users holding the `sq_manage_settings` capability. | ||||