Export limit exceeded: 10008 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10008 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-49394 | 2 Bplugins, Wordpress | 2 Image Gallery Block, Wordpress | 2026-04-01 | 8.8 High |
| Missing Authorization vulnerability in bPlugins Image Gallery block – Create and display photo gallery/photo album. 3d-image-gallery allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Image Gallery block – Create and display photo gallery/photo album.: from n/a through <= 1.0.7. | ||||
| CVE-2025-49377 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-01 | 7.5 High |
| Missing Authorization vulnerability in Themefic Hydra Booking hydra-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hydra Booking: from n/a through <= 1.1.9. | ||||
| CVE-2025-49376 | 2 Delucks, Wordpress | 2 Delucks Seo, Wordpress | 2026-04-01 | 7.5 High |
| Missing Authorization vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects DELUCKS SEO: from n/a through <= 2.5.9. | ||||
| CVE-2025-49375 | 1 Wordpress | 1 Wordpress | 2026-04-01 | 8.8 High |
| Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1. | ||||
| CVE-2025-49350 | 2 Marcoingraiti, Wordpress | 2 Actionwear Products Sync, Wordpress | 2026-04-01 | 4.3 Medium |
| Missing Authorization vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Actionwear products sync: from n/a through <= 2.3.3. | ||||
| CVE-2025-49348 | 2 Hype, Wordpress | 2 Hype, Wordpress | 2026-04-01 | 5.3 Medium |
| Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hype: from n/a through <= 1.0.5. | ||||
| CVE-2025-49041 | 1 Wordpress | 1 Wordpress | 2026-04-01 | 6.5 Medium |
| Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3. | ||||
| CVE-2025-48096 | 1 Wordpress | 1 Wordpress | 2026-04-01 | 6.5 Medium |
| Missing Authorization vulnerability in FRESHFACE Custom CSS custom-css-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom CSS: from n/a through <= 1.4.0. | ||||
| CVE-2025-39465 | 2 Flippercode, Wordpress | 2 Advanced Google Maps, Wordpress | 2026-04-01 | 8.1 High |
| Missing Authorization vulnerability in flippercode Advanced Google Maps wp-google-map-gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Google Maps: from n/a through <= 5.8.4. | ||||
| CVE-2025-30944 | 1 Wordpress | 1 Wordpress | 2026-04-01 | 7.5 High |
| Missing Authorization vulnerability in Essekia Tablesome Table Premium tablesome-premium allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Tablesome Table Premium: from n/a through <= 1.1.23. | ||||
| CVE-2025-22715 | 2 Loopus, Wordpress | 2 Wp Attractive Donations System, Wordpress | 2026-04-01 | 8.1 High |
| Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. | ||||
| CVE-2025-14358 | 1 Wordpress | 1 Wordpress | 2026-04-01 | 9.8 Critical |
| Missing Authorization vulnerability in sizam REHub Framework rehub-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects REHub Framework: from n/a through <= 19.9.5. | ||||
| CVE-2024-54222 | 2 Seraphinitesolutions, Wordpress | 2 Seraphinite Accelerator, Wordpress | 2026-04-01 | 4.3 Medium |
| Missing Authorization vulnerability in Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator allows Retrieve Embedded Sensitive Data.This issue affects Seraphinite Accelerator: from n/a through <= 2.22.15. | ||||
| CVE-2024-43228 | 2 Secupress, Wordpress | 2 Secupress, Wordpress | 2026-04-01 | 5.3 Medium |
| Missing Authorization vulnerability in SecuPress SecuPress Free secupress.This issue affects SecuPress Free: from n/a through <= 2.2.5.3. | ||||
| CVE-2024-34438 | 2 Anssi Laitila, Wordpress | 2 Shared Files, Wordpress | 2026-04-01 | 5.3 Medium |
| Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19. | ||||
| CVE-2026-20960 | 1 Microsoft | 2 Power Apps, Power Apps Desktop Client | 2026-04-01 | 8 High |
| Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network. | ||||
| CVE-2026-34046 | 1 Langflow | 2 Langflow, Langflow-base | 2026-04-01 | N/A |
| Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This allowed any authenticated user to read any other user's flow, including embedded plaintext API keys; modify the logic of another user's AI agents, and/or delete flows belonging to other users. The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. The fix in version 1.5.1 removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user. | ||||
| CVE-2026-33638 | 2 Ech0, Lin-snow | 2 Ech0, Ech0 | 2026-03-31 | 5.3 Medium |
| Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0. | ||||
| CVE-2026-3573 | 2 Artificial Intelligence Project, Drupal | 2 Artificial Intelligence, Artificial Intelligence | 2026-03-31 | 7.5 High |
| Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12. | ||||
| CVE-2026-3526 | 2 Drupal, Geeks4change | 2 File Access Fix (deprecated), File Access Fix | 2026-03-31 | 5.3 Medium |
| Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0. | ||||