Search Results (1865 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-54839 2026-06-26 7.5 High
Unauthenticated Sensitive Data Exposure in Trinity Backup &#8211; Backup, Migrate, Restore, Clone &amp; Schedule Backups <= 2.0.9 versions.
CVE-2026-56823 2026-06-26 5.4 Medium
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the `POST /api/integrations/webhooks/{webhook_id}/ping` endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the authenticated user. Any authenticated user can supply an arbitrary webhook_id to confirm webhook existence, leak the webhook's OAuth provider type, and in some cases trigger a ping delivery on behalf of another user. This vulnerability is fixed in .
CVE-2026-12411 2026-06-26 8.4 High
Broken Access Control in the devLXDInstancePatchHandler component of Canonical LXD allows an untrusted guest to mount, read, and overwrite another guest's custom storage volume via a crafted device PATCH request over /dev/lxd when security.devlxd.management.volumes is enabled.
CVE-2026-57634 2026-06-26 4.3 Medium
Contributor Insecure Direct Object References (IDOR) in PPWP <= 1.9.19 versions.
CVE-2026-57665 2026-06-26 5.3 Medium
Unauthenticated Insecure Direct Object References (IDOR) in GravityView <= 3.0.0 versions.
CVE-2026-57646 2026-06-26 5.4 Medium
Subscriber Insecure Direct Object References (IDOR) in Majestic Support <= 1.1.7 versions.
CVE-2026-57652 2026-06-26 5.3 Medium
Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions.
CVE-2026-57630 2026-06-26 5.3 Medium
Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions.
CVE-2026-56069 2026-06-26 7.5 High
Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
CVE-2026-56048 2026-06-26 6.5 Medium
Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0 versions.
CVE-2026-54826 2026-06-26 7.6 High
Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions.
CVE-2025-66123 2026-06-26 5.3 Medium
Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions.
CVE-2026-54097 1 Filebrowser 1 Filebrowser 2026-06-26 N/A
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, a low-privileged authenticated user of filebrowser (with create + delete permissions in their own isolated scope) can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose logical path happens to be a byte-prefix of another user's stored share.Link.Path. The file contents of the victim are not exposed, but the victim's share links are irrevocably wiped. This vulnerability is fixed in 2.63.6.
CVE-2026-52699 2 E4jvikwp, Wordpress 2 Vikrentcar, Wordpress 2026-06-26 7.5 High
Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.
CVE-2026-56013 2 Mycred, Wordpress 2 License Manager For Woocommerce, Wordpress 2026-06-26 6.5 Medium
Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions.
CVE-2026-56772 1 Samuelclay 1 Newsblur 2026-06-26 4.3 Medium
NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary user_id values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate user_id values to access another user's follows, replies, and social activity without authorization.
CVE-2026-39518 2 Theeventprime, Wordpress 2 Eventprime, Wordpress 2026-06-26 7.1 High
Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.
CVE-2026-40792 2 Iqonic, Wordpress 2 Kivicare, Wordpress 2026-06-26 6.3 Medium
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
CVE-2026-9099 1 Redhat 1 Build Keycloak 2026-06-26 7.7 High
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
CVE-2026-9799 1 Redhat 2 Build Keycloak, Build Of Keycloak 2026-06-26 4.6 Medium
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.