Export limit exceeded: 10667 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10667 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40213 | 2026-05-08 | 7.4 High | ||
| OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless of roles, project membership, or scope. An authenticated user with zero role assignments can complete various actions such as reprogramming FPGA bitstreams on arbitrary compute nodes via agent RPC. | ||||
| CVE-2026-8077 | 1 Cashdro | 1 Cashdro 3 Administration Panel | 2026-05-08 | N/A |
| Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escalate privileges and gain full administrative access. This vulnerability allows all restrictions to be bypassed and completely compromises system management. | ||||
| CVE-2026-20193 | 1 Cisco | 1 Identity Services Engine Software | 2026-05-07 | 4.3 Medium |
| A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive information on an affected device. This vulnerability is due to improper role-based access control (RBAC) permissions on the RADIUS Policy API endpoints. An attacker could exploit this vulnerability by bypassing the web-based management interface and directly calling an affected endpoint. A successful exploit could allow the attacker to gain unauthorized read access to sensitive RADIUS Policy details that are restricted for their role. | ||||
| CVE-2026-20189 | 1 Cisco | 1 Prime Infrastructure | 2026-05-07 | 4.3 Medium |
| A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulnerability is due to insufficient authorization checks on the download service API. An attacker could exploit this vulnerability by submitting a crafted URL request to an affected device. A successful exploit could allow the attacker to download sensitive log files that they would otherwise not have authorization to access. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. | ||||
| CVE-2026-29515 | 2 Micode, Xiaomi | 2 Fileexplorer, Fileexplorer | 2026-05-07 | 9.8 Critical |
| MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status. | ||||
| CVE-2025-66105 | 2 Mage-people, Wordpress | 2 Bus Ticket Booking With Seat Reservation, Wordpress | 2026-05-07 | 5.3 Medium |
| Missing Authorization vulnerability in Magepeople inc. Bus Ticket Booking with Seat Reservation allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bus Ticket Booking with Seat Reservation: from n/a before 5.6.8. | ||||
| CVE-2026-43577 | 1 Openclaw | 1 Openclaw | 2026-05-07 | 6.5 Medium |
| OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions. | ||||
| CVE-2026-43583 | 1 Openclaw | 1 Openclaw | 2026-05-07 | 5.3 Medium |
| OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to bypass group tool policy enforcement and weaken channel media restrictions after service restart or recovery. | ||||
| CVE-2026-25436 | 2 Wordpress, Wp Royal | 2 Wordpress, Royal Elementor Addons | 2026-05-07 | 5.3 Medium |
| Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal Elementor Addons: from n/a before 1.7.1053. | ||||
| CVE-2026-6222 | 2 Wordpress, Wpmudev | 2 Wordpress, Forminator Forms – Contact Form, Payment Form & Custom Form Builder | 2026-05-07 | 5.3 Medium |
| The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status. | ||||
| CVE-2026-41689 | 1 Ellite | 1 Wallos | 2026-05-07 | 6 Medium |
| Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches. | ||||
| CVE-2026-4807 | 2 Croixhaug, Wordpress | 2 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin, Wordpress | 2026-05-07 | 6.5 Medium |
| The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records. | ||||
| CVE-2026-6863 | 1 Rapid7 | 1 Velociraptor | 2026-05-07 | 6.8 Medium |
| Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization (the lowest authenticated role, holding only READ_RESULTS permission ) can issue a single authenticated HTTP GET that can read any files from other orgs - even if they have no explicit permissions in the target org. However, the problem does not occur in reverse - a user with read access to a sub org is unable to read from other org or the root org. | ||||
| CVE-2026-44110 | 1 Openclaw | 1 Openclaw | 2026-05-07 | 8.8 High |
| OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms, potentially enabling privileged OpenClaw behavior. | ||||
| CVE-2026-41658 | 1 Admidio | 1 Admidio | 2026-05-07 | 6.5 Medium |
| Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations (delete, retire, reinstate) only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for item_delete, item_retire, item_reinstate, item_picture_upload, item_picture_save, and item_picture_delete perform CSRF validation but never check whether the requesting user is an inventory administrator. Any authenticated user who can access the inventory module can permanently delete any inventory item and all its associated data. This issue has been patched in version 5.0.9. | ||||
| CVE-2026-43579 | 1 Openclaw | 1 Openclaw | 2026-05-07 | 6.5 Medium |
| OpenClaw before 2026.4.10 contains an insufficient access control vulnerability in Nostr plugin HTTP profile routes that allows operators with write permissions to persist profile configuration without requiring admin authority. Attackers with operator.write scope can modify Nostr profile settings through unprotected mutation endpoints to gain unauthorized configuration persistence. | ||||
| CVE-2026-43575 | 1 Openclaw | 1 Openclaw | 2026-05-07 | 9.8 Critical |
| OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session. | ||||
| CVE-2026-41660 | 1 Admidio | 1 Admidio | 2026-05-07 | 7.1 High |
| Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A group leader with profile edit rights on an admin account can strip that admin's 2FA. This issue has been patched in version 5.0.9. | ||||
| CVE-2026-41657 | 1 Admidio | 1 Admidio | 2026-05-07 | 4.9 Medium |
| Admidio is an open-source user management solution. Prior to version 5.0.9, the contacts_data.php endpoint uses a weaker permission check (isAdministratorUsers(), requiring only rol_edit_user=true) than the frontend UI (contacts.php) which correctly requires the stronger isAdministrator() (requiring rol_administrator=true) and the contacts_show_all system setting. A user manager who is not a full administrator can directly request contacts_data.php?mem_show_filter=3 to retrieve all user records across all organizations in the Admidio instance, bypassing multi-tenant organization isolation. This issue has been patched in version 5.0.9. | ||||
| CVE-2026-6214 | 2 Wordpress, Wpmudev | 2 Wordpress, Forminator Forms – Contact Form, Payment Form & Custom Form Builder | 2026-05-07 | 6.5 Medium |
| The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration. | ||||