Search Results (8422 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-24610 2026-06-17 4.3 Medium
Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions.
CVE-2026-0628 1 Google 1 Chrome 2026-06-17 8.8 High
Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via a crafted Chrome Extension. (Chromium security severity: High)
CVE-2026-48969 2026-06-17 6.5 Medium
Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.
CVE-2026-26237 2 Qnap, Qnap Systems 2 Qumagie, Qumagie 2026-06-17 7.5 High
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
CVE-2026-26236 2 Qnap, Qnap Systems 2 Qumagie, Qumagie 2026-06-17 7.5 High
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
CVE-2026-48783 1 Gitroomhq 1 Postiz-app 2026-06-17 4.8 Medium
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8.
CVE-2026-53851 1 Openclaw 1 Openclaw 2026-06-16 5.3 Medium
OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.
CVE-2026-53844 1 Openclaw 1 Openclaw 2026-06-16 6.5 Medium
OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.
CVE-2026-53850 1 Openclaw 1 Openclaw 2026-06-16 5.5 Medium
OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.
CVE-2026-53866 1 Openclaw 1 Openclaw 2026-06-16 8.1 High
OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected allowlist decision, enabling shell content execution without intended approval prompts.
CVE-2026-39584 2 Webful Creations, Wordpress 2 Repairbuddy, Wordpress 2026-06-16 6.5 Medium
Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions.
CVE-2026-2381 2 Woocommerce, Wordpress 2 Stripe Payment Gateway, Wordpress 2026-06-16 6.5 Medium
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
CVE-2026-42851 1 Kovidgoyal 1 Kitty 2026-06-16 7.8 High
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.
CVE-2026-39513 2 Easy-appointments, Wordpress 2 Easy Appointments, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions.
CVE-2026-10831 2026-06-16 N/A
A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network access can send crafted requests to disrupt serial communication for an active user session.
CVE-2025-14272 2026-06-16 N/A
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions.
CVE-2026-25440 2 Wordpress, Wpdeveloper 2 Wordpress, Essential Addons For Elementor 2026-06-16 5.3 Medium
Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.
CVE-2026-39534 2026-06-16 7.5 High
Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions.
CVE-2026-39524 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Masteriyo - LMS <= 2.1.5 versions.
CVE-2026-39503 2 Awesomemotive, Wordpress 2 Easy Digital Downloads, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions.