Export limit exceeded: 344029 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10428 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24312 | 1 Sap | 2 Business Workflow, Sap Basis | 2026-02-17 | 5.2 Medium |
| An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated administrative user can bypass role restrictions by leveraging permissions from a less sensitive function to execute unauthorized, high-privilege actions. This has a high impact on data integrity, with low impact on confidentiality and no impact on availability of the application. | ||||
| CVE-2026-24322 | 2 Sap, Sap Se | 2 Solution Tools Plug-in, Sap Solution Tools Plug-in (st-pi) | 2026-02-17 | 7.7 High |
| SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability. | ||||
| CVE-2026-24326 | 2 Sap, Sap Se | 2 S\/4hana Defense \& Security, Sap S/4hana Defense & Security (disconnected Operations) | 2026-02-17 | 4.3 Medium |
| Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application. | ||||
| CVE-2026-24327 | 2 Sap, Sap Se | 2 Strategic Enterprise Management, Sap Strategic Enterprise Management (balanced Scorecard In Bsp Application) | 2026-02-17 | 4.3 Medium |
| Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This leads to low impact on confidentiality and no effect on integrity or availability. | ||||
| CVE-2025-67737 | 1 Azuracast | 1 Azuracast | 2026-02-17 | 3.1 Low |
| AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2. | ||||
| CVE-2026-26012 | 1 Dani-garcia | 1 Vaultwarden | 2026-02-13 | 6.5 Medium |
| vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Prior to 1.35.3, a regular organization member can retrieve all ciphers within an organization, regardless of collection permissions. The endpoint /ciphers/organization-details is accessible to any organization member and internally uses Cipher::find_by_org to retrieve all ciphers. These ciphers are returned with CipherSyncType::Organization without enforcing collection-level access control. This vulnerability is fixed in 1.35.3. | ||||
| CVE-2026-25924 | 1 Kanboard | 1 Kanboard | 2026-02-13 | 8.5 High |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, a security control bypass vulnerability in Kanboard allows an authenticated administrator to achieve full Remote Code Execution (RCE). Although the application correctly hides the plugin installation interface when the PLUGIN_INSTALLER configuration is set to false, the underlying backend endpoint fails to verify this security setting. An attacker can exploit this oversight to force the server to download and install a malicious plugin, leading to arbitrary code execution. This vulnerability is fixed in 1.2.50. | ||||
| CVE-2026-25531 | 1 Kanboard | 1 Kanboard | 2026-02-13 | 4.3 Medium |
| Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50. | ||||
| CVE-2023-31726 | 1 Alistgo | 1 Alist | 2026-02-13 | 7.5 High |
| AList 3.15.1 is vulnerable to Incorrect Access Control, which can be exploited by attackers to obtain sensitive information. | ||||
| CVE-2025-30398 | 1 Microsoft | 3 Nuance Powerscribe, Nuance Powerscribe 360, Nuance Powerscribe One | 2026-02-13 | 8.1 High |
| Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network. | ||||
| CVE-2026-25939 | 1 Frangoteam | 1 Fuxa | 2026-02-13 | 9.1 Critical |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10, an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11. | ||||
| CVE-2025-29827 | 1 Microsoft | 1 Azure Automation | 2026-02-13 | 9.9 Critical |
| Improper authorization in Azure Automation allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2025-49723 | 1 Microsoft | 16 Windows 10 1809, Windows 10 21h2, Windows 10 21h2 and 13 more | 2026-02-13 | 8.8 High |
| Missing authorization in Windows StateRepository API allows an authorized attacker to perform tampering locally. | ||||
| CVE-2025-50171 | 1 Microsoft | 12 Server, Windows, Windows 10 21h2 and 9 more | 2026-02-13 | 9.1 Critical |
| Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2025-14592 | 1 Gitlab | 1 Gitlab | 2026-02-13 | 3.7 Low |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint. | ||||
| CVE-2025-70997 | 2 Eladmin, Elunez | 2 Eladmin, Eladmin | 2026-02-12 | 8.1 High |
| A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. | ||||
| CVE-2026-26031 | 1 Frappe | 2 Frappe Lms, Learning | 2026-02-12 | 5.3 Medium |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.44.0, security issue was identified in Frappe Learning, where unauthorised users were able to access the full list of enrolled students (by email) in batches. This vulnerability is fixed in 2.44.0. | ||||
| CVE-2026-21743 | 1 Fortinet | 1 Fortiauthenticator | 2026-02-12 | 6.8 Medium |
| A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint. | ||||
| CVE-2025-15395 | 1 Ibm | 1 Jazz Foundation | 2026-02-11 | 4.3 Medium |
| IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability. | ||||
| CVE-2025-66719 | 1 Free5gc | 1 Nrf | 2026-02-11 | 9.1 Critical |
| An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope. | ||||