Export limit exceeded: 11420 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 11420 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11420 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22343 | 2 Premiumpress Limited., Wordpress | 2 Wordpress Dating Theme, Wordpress | 2026-06-20 | 8.6 High |
| Unauthenticated Broken Access Control in WordPress Dating Theme <= 11.2.0 versions. | ||||
| CVE-2026-40726 | 2 Themegrill, Wordpress | 2 User Registration Stripe, Wordpress | 2026-06-20 | 8.2 High |
| Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.14 versions. | ||||
| CVE-2026-49072 | 2 Opmc, Wordpress | 2 Woocommerce Anti-fraud, Wordpress | 2026-06-20 | 6.5 Medium |
| Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions. | ||||
| CVE-2026-49081 | 2 Themegrill, Wordpress | 2 User Registration Stripe, Wordpress | 2026-06-20 | 8.2 High |
| Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions. | ||||
| CVE-2026-54803 | 2 Cozyvision, Wordpress | 2 Sms Alert Order Notifications, Wordpress | 2026-06-20 | 9.8 Critical |
| Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions. | ||||
| CVE-2024-33685 | 2 Jegstudio, Wordpress | 2 Startupzy, Wordpress | 2026-06-20 | 4.3 Medium |
| Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Startupzy: from n/a through 1.1.1. | ||||
| CVE-2024-31435 | 2 Inisev, Wordpress | 2 Social Media & Share Icons, Wordpress | 2026-06-20 | 4.3 Medium |
| : Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Social Media & Share Icons: from n/a through 2.8.6. | ||||
| CVE-2026-11858 | 1 Quanos Solutions | 1 Schema St4 | 2026-06-20 | N/A |
| Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation. | ||||
| CVE-2024-37210 | 2 Ali2woo, Wordpress | 2 Alinext, Wordpress | 2026-06-20 | 6.5 Medium |
| Missing Authorization vulnerability in ali2woo AliNext allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AliNext: from n/a through 3.3.5. | ||||
| CVE-2024-37496 | 2 Rara Themes, Wordpress | 2 Metro Magazine, Wordpress | 2026-06-20 | 4.3 Medium |
| Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.3.7. | ||||
| CVE-2025-69189 | 2 Emv, Wordpress | 2 Jobbank, Wordpress | 2026-06-20 | 7.3 High |
| Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3. | ||||
| CVE-2026-54810 | 2 Nexi Payments, Wordpress | 2 Nexi Xpay, Wordpress | 2026-06-20 | 7.5 High |
| Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1. | ||||
| CVE-2026-10029 | 2 Eventkoi, Wordpress | 2 Event Koi Lite – Events Calendar, Event Management, Rsvp, And Tickets, Wordpress | 2026-06-20 | 5.3 Medium |
| The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs. | ||||
| CVE-2026-11719 | 1 Google | 1 Mcp Toolbox For Databases | 2026-06-20 | N/A |
| An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler). | ||||
| CVE-2026-8935 | 2 Wordpress, Wp Maps Pro | 2 Wordpress, Wp Maps Pro | 2026-06-19 | 9.8 Critical |
| The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access. | ||||
| CVE-2026-42357 | 1 Apache | 1 Dolphinscheduler | 2026-06-19 | 6.5 Medium |
| Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue. | ||||
| CVE-2026-0057 | 1 Google | 1 Android | 2026-06-18 | 3.3 Low |
| In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-0092 | 1 Google | 1 Android | 2026-06-18 | N/A |
| In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-28615 | 1 Google | 1 Android | 2026-06-18 | N/A |
| In Telecomm, there is a possible way to initiate an unauthorized phone call due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2025-48640 | 1 Google | 1 Android | 2026-06-18 | 8 High |
| In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||