Export limit exceeded: 11616 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (11616 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-39525 2 Booking Activities Team, Wordpress 2 Booking Activities, Wordpress 2026-06-23 6.5 Medium
Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions.
CVE-2026-39594 2 Themefic, Wordpress 2 Ultra Addons For Wpforms, Wordpress 2026-06-23 6.4 Medium
Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions.
CVE-2026-40741 2 Jose Conti, Wordpress 2 Redsys For Woocommerce Light, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions.
CVE-2026-40775 2 Royal Plugins, Wordpress 2 Royal Mcp, Wordpress 2026-06-23 7.3 High
Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions.
CVE-2026-40776 2 Arraytics, Wordpress 2 Wp Event Solution, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
CVE-2026-40795 2 Tms, Wordpress 2 Amelia, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Amelia <= 2.2 versions.
CVE-2026-42664 2 Motive Commerce Search, Wordpress 2 Ai Product Search For Woocommerce – Motive Commerce Search, Wordpress 2026-06-23 8.2 High
Unauthenticated Broken Access Control in AI Product Search for WooCommerce &#8211; Motive Commerce Search <= 1.38.2 versions.
CVE-2026-42666 2 Dimitri Grassi, Wordpress 2 Salon Booking System, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions.
CVE-2026-48835 2 Awesomemotive, Wordpress 2 Contact Form By Wpforms, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
CVE-2026-48887 2 Ahmad, Wordpress 2 Js Help Desk, Wordpress 2026-06-23 6.5 Medium
Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.
CVE-2026-49070 2 Knit Pay, Wordpress 2 Knit Pay, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.
CVE-2025-68045 2 Arraytics, Wordpress 2 Wp Event Solution, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.
CVE-2026-52711 2 Kilbot, Wordpress 2 Woocommerce Pos, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.
CVE-2026-54190 2 Awesomemotive, Wordpress 2 Envira Photo Gallery, Wordpress 2026-06-23 6.5 Medium
Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.
CVE-2026-40809 2 Rara Themes, Wordpress 2 Metro Magazine, Wordpress 2026-06-23 6.5 Medium
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1.
CVE-2025-69103 2 Utillz, Wordpress 2 Brikk, Wordpress 2026-06-23 7.5 High
Subscriber Arbitrary Content Deletion in Brikk <= 3.0.0 versions.
CVE-2025-69137 2 Jthemes, Wordpress 2 Genemy, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Genemy <= 1.6.6 versions.
CVE-2026-56696 1 Hkuds 1 Openharness 2026-06-23 5.4 Medium
OpenHarness /issue and /pr_comments slash commands lack remote_invocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/pr_comments.md files, which are subsequently injected into runtime system prompts, persistently influencing local agent behavior.
CVE-2026-54021 1 Open-webui 1 Open-webui 2026-06-23 6.3 Medium
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied url_idx path parameter and use it as a raw index into the admin-configured OLLAMA_BASE_URLS list. Access control on these routes validates only whether the user may use the requested model, never which backend the request is routed to. Any authenticated user can append an arbitrary url_idx to force their request onto an Ollama backend they were never authorized to reach, including internal, higher-privilege, or explicitly admin-disabled backends. This vulnerability is fixed in 0.9.6.
CVE-2026-54019 1 Open-webui 1 Open-webui 2026-06-23 6.5 Medium
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus multitenancy mode is enabled. The ACL allows unknown non-KB collection names as legacy/ephemeral collections. In Milvus multitenancy mode, that user-controlled collection name becomes a resource_id and is interpolated into a Milvus expression without escaping. This is caused by an incomplete fix for CVE-2026-44560 This vulnerability is fixed in 0.9.6.