Export limit exceeded: 11582 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11582 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34050 | 1 Coollabsio | 1 Coolify | 2026-07-07 | 6.5 Medium |
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update checks. This issue is fixed in version 4.0.0-beta.471. | ||||
| CVE-2026-8377 | 2026-07-07 | 8.2 High | ||
| Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Collect Data from Common Resource Locations. This issue affects Access Control System (GKS): before Version 2. | ||||
| CVE-2026-11340 | 2026-07-07 | 8.3 High | ||
| Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107. | ||||
| CVE-2026-41048 | 1 Presire | 1 Qsnapper | 2026-07-07 | N/A |
| Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like "restore from snapshot" even if only allowed to do "delete snapshot". | ||||
| CVE-2026-14716 | 1 Nextlevelbuilder | 1 Goclaw | 2026-07-07 | 6.3 Medium |
| A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.13.0-beta.2. Impacted is the function MethodRouter.Handle of the file internal/gateway/router.go of the component WebSocket RPC Handler. Such manipulation leads to incorrect authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report. | ||||
| CVE-2026-13468 | 2 Themeisle, Wordpress | 2 Visualizer – Tables & Charts Manager With Built-in Ai Generator, Wordpress | 2026-07-06 | 7.5 High |
| The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site — including charts in draft, private, pending, future, or trash status — as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public 'visualizer' custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely. | ||||
| CVE-2026-53902 | 1 Mycomplianceoffice | 1 Mco | 2026-07-06 | N/A |
| MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions. | ||||
| CVE-2026-53905 | 1 Mycomplianceoffice | 1 Mco | 2026-07-06 | N/A |
| MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions. | ||||
| CVE-2026-57720 | 2 Codexpert, Wordpress | 2 Thumbpress, Wordpress | 2026-07-06 | 4.3 Medium |
| Missing Authorization vulnerability in Codexpert Inc ThumbPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThumbPress: from n/a through 6.3.2. | ||||
| CVE-2026-57721 | 2 Wordpress, Wp Reloaded | 2 Wordpress, Applyonline | 2026-07-06 | 5.3 Medium |
| Missing Authorization vulnerability in WP Reloaded ApplyOnline allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ApplyOnline: from n/a through 2.6.7.6. | ||||
| CVE-2025-69134 | 2 Merkulove, Wordpress | 2 Openai Chatbot For Wordpress – Helper, Wordpress | 2026-07-06 | 7.5 High |
| Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions. | ||||
| CVE-2026-39448 | 2 Coderpress, Wordpress | 2 Nowpayments For Woocommerce, Wordpress | 2026-07-06 | 7.5 High |
| Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions. | ||||
| CVE-2026-57685 | 2 Drfuri, Wordpress | 2 Martfury - Woocommerce Marketplace Wordpress Theme, Wordpress | 2026-07-06 | 4.3 Medium |
| Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions. | ||||
| CVE-2026-57688 | 2 Gurmehub, Wordpress | 2 Pos Entegratör, Wordpress | 2026-07-06 | 8.2 High |
| Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions. | ||||
| CVE-2026-57689 | 2 Fuelthemes, Wordpress | 2 Werkstatt, Wordpress | 2026-07-06 | 4.3 Medium |
| Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions. | ||||
| CVE-2026-57750 | 2 Keksdieb, Wordpress | 2 Ez Form Calculator Premium, Wordpress | 2026-07-06 | 5.3 Medium |
| Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions. | ||||
| CVE-2026-57760 | 2 Sendcloud, Wordpress | 2 Sendcloud Shipping, Wordpress | 2026-07-06 | 5.3 Medium |
| Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29. | ||||
| CVE-2026-12729 | 2 Wedevs, Wordpress | 2 Wedocs: Ai Powered Knowledge Base, Docs, Documentation, Wiki & Ai Chatbot, Wordpress | 2026-07-06 | 4.3 Medium |
| The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins(). | ||||
| CVE-2026-27775 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-06 | 8.8 High |
| Gitea 1.25.5 caches a branch-specific write-permission result across multiple refs in one pre-receive hook session, allowing a per-branch maintainer-edit grant to be reused for other refs and escalate to full repository write access. | ||||
| CVE-2026-27780 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-06 | 9.8 Critical |
| Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks. | ||||