Export limit exceeded: 11616 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11616 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39525 | 2 Booking Activities Team, Wordpress | 2 Booking Activities, Wordpress | 2026-06-23 | 6.5 Medium |
| Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions. | ||||
| CVE-2026-39594 | 2 Themefic, Wordpress | 2 Ultra Addons For Wpforms, Wordpress | 2026-06-23 | 6.4 Medium |
| Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions. | ||||
| CVE-2026-40741 | 2 Jose Conti, Wordpress | 2 Redsys For Woocommerce Light, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions. | ||||
| CVE-2026-40775 | 2 Royal Plugins, Wordpress | 2 Royal Mcp, Wordpress | 2026-06-23 | 7.3 High |
| Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions. | ||||
| CVE-2026-40776 | 2 Arraytics, Wordpress | 2 Wp Event Solution, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions. | ||||
| CVE-2026-40795 | 2 Tms, Wordpress | 2 Amelia, Wordpress | 2026-06-23 | 6.5 Medium |
| Subscriber Broken Access Control in Amelia <= 2.2 versions. | ||||
| CVE-2026-42664 | 2 Motive Commerce Search, Wordpress | 2 Ai Product Search For Woocommerce – Motive Commerce Search, Wordpress | 2026-06-23 | 8.2 High |
| Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. | ||||
| CVE-2026-42666 | 2 Dimitri Grassi, Wordpress | 2 Salon Booking System, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions. | ||||
| CVE-2026-48835 | 2 Awesomemotive, Wordpress | 2 Contact Form By Wpforms, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions. | ||||
| CVE-2026-48887 | 2 Ahmad, Wordpress | 2 Js Help Desk, Wordpress | 2026-06-23 | 6.5 Medium |
| Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions. | ||||
| CVE-2026-49070 | 2 Knit Pay, Wordpress | 2 Knit Pay, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions. | ||||
| CVE-2025-68045 | 2 Arraytics, Wordpress | 2 Wp Event Solution, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions. | ||||
| CVE-2026-52711 | 2 Kilbot, Wordpress | 2 Woocommerce Pos, Wordpress | 2026-06-23 | 7.5 High |
| Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. | ||||
| CVE-2026-54190 | 2 Awesomemotive, Wordpress | 2 Envira Photo Gallery, Wordpress | 2026-06-23 | 6.5 Medium |
| Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions. | ||||
| CVE-2026-40809 | 2 Rara Themes, Wordpress | 2 Metro Magazine, Wordpress | 2026-06-23 | 6.5 Medium |
| Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1. | ||||
| CVE-2025-69103 | 2 Utillz, Wordpress | 2 Brikk, Wordpress | 2026-06-23 | 7.5 High |
| Subscriber Arbitrary Content Deletion in Brikk <= 3.0.0 versions. | ||||
| CVE-2025-69137 | 2 Jthemes, Wordpress | 2 Genemy, Wordpress | 2026-06-23 | 6.5 Medium |
| Subscriber Broken Access Control in Genemy <= 1.6.6 versions. | ||||
| CVE-2026-56696 | 1 Hkuds | 1 Openharness | 2026-06-23 | 5.4 Medium |
| OpenHarness /issue and /pr_comments slash commands lack remote_invocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/pr_comments.md files, which are subsequently injected into runtime system prompts, persistently influencing local agent behavior. | ||||
| CVE-2026-54021 | 1 Open-webui | 1 Open-webui | 2026-06-23 | 6.3 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends. This vulnerability is fixed in 0.9.6. | ||||
| CVE-2026-54019 | 1 Open-webui | 1 Open-webui | 2026-06-23 | 6.5 Medium |
| Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping. This is caused by an incomplete fix for CVE-2026-44560 This vulnerability is fixed in 0.9.6. | ||||