Search Results (8402 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-49291 1 Doobidoo 1 Mcp-memory-service 2026-06-22 8.1 High
mcp-memory-service is a semantic memory layer for AI applications. Prior to version 10.65.3, the HTTP MCP JSON-RPC endpoint at `/mcp` requires only OAuth `read` scope for all requests, then dispatches `tools/call` directly to handlers that include mutating tools. A read-only OAuth client can call `store_memory` and `delete_memory` through MCP even though the corresponding REST endpoints require `write` scope. Version 10.65.3 patches the issue.
CVE-2026-8934 2026-06-22 N/A
A Missing Authorization vulnerability in a GraphQL private API operation of the Google App Engine section of the Cloud Console allows an unauthenticated remote attacker to leak sensitive App Engine request logs from other projects using a specially crafted request. This vulnerability was patched on 7 April 2026, and no customer action is needed.
CVE-2026-3640 2 Strablengineering, Wordpress 2 Strabl – A Checkout Solution, Wordpress 2026-06-22 5.3 Medium
The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees — all without making a legitimate payment or having any valid credentials.
CVE-2026-5139 1 Mattermost 1 Mattermost 2026-06-22 5.4 Medium
Mattermost versions 11.7.x <= 11.7.0, 11.6.x <= 11.6.2, 11.5.x <= 11.5.5, 10.11.x <= 10.11.17 fail to enforce administrator authorization on the {{setDefaultInstance}} call within the {{/gitlab connect}} command handler, which allows any authenticated user to overwrite the global default GitLab instance configuration via the {{/gitlab connect <instance-name>}} slash command.. Mattermost Advisory ID: MMSA-2026-00644
CVE-2026-52866 1 Apollo Pharmacy 1 Blood Glucose Monitoring System (model No. Apg-01 Bt) 2026-06-22 6.5 Medium
An attacker within BLE communication range can monopolize the device's only available BLE connection slot, preventing legitimate users or applications from establishing a connection.
CVE-2026-49205 1 Thorsten 1 Phpmyfaq 2026-06-22 6.5 Medium
phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this->userHasPermission(PermissionType::BACKUP). The same fix was not applied to 4 other write endpoints in the public API. All 4 only call $this->hasValidToken() — which checks a shared API key header, rather than the individual user's role permissions. The following APIs are affected: POST /api/v4.0/category (CategoryController::create), POST /api/v4.0/faq (FaqController::create), PUT /api/v4.0/faq (FaqController::update), and POST /api/v4.0/question (QuestionController::create). This issue has been fixed in version 4.1.4.
CVE-2026-48582 1 Microsoft 1 Exchange Online 2026-06-22 9.6 Critical
Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.
CVE-2026-11912 2 Eemitch, Wordpress 2 Simple File List, Wordpress 2026-06-22 7.5 High
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
CVE-2026-44914 1 Apache 1 Nifi 2026-06-22 N/A
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not check restricted status when handling requests to replace Process Groups. The missing authorization permits a user with general write access to add components with Restricted status. Apache NiFi installations that do not implement specific authorization for Restricted components are not subject to this vulnerability because the framework enforces write permissions as the security boundary. Upgrading to Apache NiFi 2.9.0 is the recommended mitigation, which removes the implementation of Restricted status authorization from the framework.
CVE-2026-30784 2 Rustdesk, Rustdesk-server 3 Rustdesk Server, Rustdesk Server, Rustdesk Server Pro 2026-06-22 9.8 Critical
This CVE ID has been withdrawn by its CVE Numbering Authority.
CVE-2026-49057 2 Eyecix Technologies, Wordpress 2 Jobsearch, Wordpress 2026-06-20 7.5 High
Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
CVE-2026-48797 1 Mcp-tool-shop-org 1 Backpropagate 2026-06-20 N/A
Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing flags intended as security controls: --auth user:pass — documented as "require HTTP Basic authentication on every request to the UI." and--share — documented as "expose the UI on a public address; requires --auth." When --auth user:pass is passed, the CLI prints Auth: enabled (user: <username>) to confirm to the operator that authentication is active, then exports BACKPROPAGATE_UI_AUTH=user:pass to the subprocess that launches the Reflex backend. The Reflex backend (backpropagate/ui_app/**) never reads BACKPROPAGATE_UI_AUTH. No authentication middleware is registered. No request-level guard runs. No WebSocket upgrade guard runs. Any client that reaches the bound port — local or remote, depending on whether --share is used — has full UI access. An inline comment at backpropagate/cli.py:1217-1218 in the v1.1.0 source documents the gap: "For Phase 1 the variable is exported but Reflex doesn't read it yet." This comment was internal-facing; the user-facing documentation (README, CHANGELOG, SHIP_GATE) advertised the contract as enforced. An attacker who reaches the bound port can read uploaded datasets, trigger arbitrary training runs against any local base models as well as read their paths, trigger HuggingFace Hub pushes and cause disk-fill DoS. This issue has been fixed in version 1.2.0. If developers cannot immediately upgrade to 1.2.0 run backprop ui with no flags so it binds to localhost, use SSH port-forwarding (ssh -L 7860:localhost:7860 <training-host>) instead of --share for remote access, and audit any host previously launched with --share, re-issuing any HF tokens used during those sessions.
CVE-2026-40722 2 Wordpress, Yoast Bv 2 Wordpress, Yoast Seo Premium 2026-06-20 5.5 Medium
Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yoast SEO Premium: from n/a through 26.6.
CVE-2026-22343 2 Premiumpress Limited., Wordpress 2 Wordpress Dating Theme, Wordpress 2026-06-20 8.6 High
Unauthenticated Broken Access Control in WordPress Dating Theme <= 11.2.0 versions.
CVE-2026-40726 2 Themegrill, Wordpress 2 User Registration Stripe, Wordpress 2026-06-20 8.2 High
Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.14 versions.
CVE-2026-49072 2 Opmc, Wordpress 2 Woocommerce Anti-fraud, Wordpress 2026-06-20 6.5 Medium
Unauthenticated Broken Access Control in WooCommerce Anti-Fraud <= 7.2.6 versions.
CVE-2026-49081 2 Themegrill, Wordpress 2 User Registration Stripe, Wordpress 2026-06-20 8.2 High
Unauthenticated Broken Access Control in User Registration Stripe <= 1.3.12 versions.
CVE-2024-33685 2 Jegstudio, Wordpress 2 Startupzy, Wordpress 2026-06-20 4.3 Medium
Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Startupzy: from n/a through 1.1.1.
CVE-2024-31435 2 Inisev, Wordpress 2 Social Media & Share Icons, Wordpress 2026-06-20 4.3 Medium
: Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Social Media & Share Icons: from n/a through 2.8.6.
CVE-2026-11858 1 Quanos Solutions 1 Schema St4 2026-06-20 N/A
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.