Export limit exceeded: 343836 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10411 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10411 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32818 | 1 Admidio | 1 Admidio | 2026-03-25 | 6.5 Medium |
| Admidio is an open-source user management solution. In versions 5.0.0 through 5.0.6, the forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topic_delete and post_delete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete(). Any authenticated user with forum access can delete any topic (with all its posts) or any individual post by providing its UUID. This is inconsistent with the save/edit operations, which properly check isAdministratorForum() and ownership before allowing modifications. Any logged-in user can permanently and irreversibly delete any forum topic (including all its posts) or any individual post by simply knowing its UUID (which is publicly visible in URLs), completely bypassing authorization checks. This issue has been fixed in version 5.0.7. | ||||
| CVE-2026-32736 | 1 Hytalemodding | 1 Wiki | 2026-03-25 | 4.3 Medium |
| The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference (IDOR) vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated user who visits a mod page. Any user who creates an account can access sensitive author details by simply navigating to a mod's page via its slug. Version 1.0.0 fixes the issue. | ||||
| CVE-2026-32005 | 1 Openclaw | 1 Openclaw | 2026-03-24 | 6.8 Medium |
| OpenClaw versions prior to 2026.2.25 fail to enforce sender authorization checks for interactive callbacks including block_action, view_submission, and view_closed in shared workspace deployments. Unauthorized workspace members can bypass allowFrom restrictions and channel user allowlists to enqueue system-event text into active sessions. | ||||
| CVE-2026-32006 | 1 Openclaw | 1 Openclaw | 2026-03-24 | 3.1 Low |
| OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where DM pairing-store identities are incorrectly treated as group allowlist identities when dmPolicy=pairing and groupPolicy=allowlist. Remote attackers can send messages and reactions as DM-paired identities without explicit groupAllowFrom membership to bypass group sender authorization checks. | ||||
| CVE-2026-3009 | 1 Redhat | 7 Build Keycloak, Build Of Keycloak, Jboss Enterprise Application Platform and 4 more | 2026-03-24 | 8.1 High |
| A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. | ||||
| CVE-2025-9572 | 2 Redhat, Theforeman | 5 Enterprise Linux, Satellite, Satellite Capsule and 2 more | 2026-03-24 | 5 Medium |
| n authorization flaw in Foreman's GraphQL API allows low-privileged users to access metadata beyond their assigned permissions. Unlike the REST API, which correctly enforces access controls, the GraphQL endpoint does not apply proper filtering, leading to an authorization bypass. | ||||
| CVE-2023-6394 | 2 Quarkus, Redhat | 3 Quarkus, Build Of Quarkus, Quarkus | 2026-03-24 | 7.4 High |
| A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions. | ||||
| CVE-2023-4194 | 4 Debian, Fedoraproject, Linux and 1 more | 5 Debian Linux, Fedora, Linux Kernel and 2 more | 2026-03-24 | 5.5 Medium |
| A flaw was found in the Linux kernel's TUN/TAP functionality. This issue could allow a local user to bypass network filters and gain unauthorized access to some resources. The original patches fixing CVE-2023-1076 are incorrect or incomplete. The problem is that the following upstream commits - a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid"), - 66b2c338adce ("tap: tap_open(): correctly initialize socket uid"), pass "inode->i_uid" to sock_init_data_uid() as the last parameter and that turns out to not be accurate. | ||||
| CVE-2026-32268 | 1 Craftcms | 1 Azure-blob | 2026-03-24 | N/A |
| The Azure Blob Storage for Craft CMS plugin provides an Azure Blob Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.1.1, unauthenticated users can view a list of buckets the plugin has access to. The `DefaultController->actionLoadContainerData()` endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error messages, additional attack vectors are also exposed. Users should update to version 2.1.1 of the plugin to mitigate the issue. | ||||
| CVE-2026-32693 | 1 Canonical | 1 Juju | 2026-03-24 | 8.8 High |
| In Juju from version 3.0.0 through 3.6.18, the authorization of the "secret-set" tool is not performed correctly, which allows a grantee to update the secret content, and can lead to reading or updating other secrets. When the "secret-set" tool logs an error in an exploitation attempt, the secret is still updated contrary to expectations, and the new value is visible to both the owner and the grantee. | ||||
| CVE-2026-4064 | 2 Devolutions, Ironmansoftware | 2 Powershell Universal, Powershell Universal | 2026-03-24 | 8.3 High |
| Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations — including reading sensitive data, creating or deleting resources, and disrupting service operations — via crafted gRPC requests. | ||||
| CVE-2026-24692 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-03-24 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 fail to properly enforce read permissions in search API endpoints which allows guest users without read permissions to access posts and files in channels via search API requests. Mattermost Advisory ID: MMSA-2025-00554 | ||||
| CVE-2026-32583 | 2 Webnus, Wordpress | 2 Modern Events Calendar, Wordpress | 2026-03-24 | 5.3 Medium |
| Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0. | ||||
| CVE-2025-69196 | 1 Jlowin | 1 Fastmcp | 2026-03-24 | 6.5 Medium |
| FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for the base_url passed to the OAuthProxy during initialization. This issue has been patched 2.14.2. | ||||
| CVE-2026-32267 | 1 Craftcms | 2 Craft Cms, Craftcms | 2026-03-24 | 9.8 Critical |
| Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12. | ||||
| CVE-2026-26304 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-03-24 | 4.3 Medium |
| Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2 fail to verify run_create permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542 | ||||
| CVE-2026-26230 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2026-03-24 | 3.8 Low |
| Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role. Mattermost Advisory ID: MMSA-2025-00531 | ||||
| CVE-2026-4202 | 1 Typo3 | 1 Extension "redirect Tabs" | 2026-03-24 | N/A |
| The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page. | ||||
| CVE-2026-30911 | 1 Apache | 1 Airflow | 2026-03-24 | 8.1 High |
| Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop (HITL) endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to Apache Airflow 3.1.8 or later, which resolves this issue. | ||||
| CVE-2026-25083 | 1 Growi | 1 Growi | 2026-03-24 | N/A |
| GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages. | ||||