Export limit exceeded: 11582 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (11582 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-34050 1 Coollabsio 1 Coolify 2026-07-07 6.5 Medium
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update checks. This issue is fixed in version 4.0.0-beta.471.
CVE-2026-8377 2026-07-07 8.2 High
Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System (GKS) allows Collect Data from Common Resource Locations. This issue affects Access Control System (GKS): before Version 2.
CVE-2026-11340 2026-07-07 8.3 High
Missing Authorization vulnerability in HAVELSAN Inc. Liman MYS allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Liman MYS: before release.Master.1107.
CVE-2026-41048 1 Presire 1 Qsnapper 2026-07-07 N/A
Incorrect caching of authentication between different polkit methods in qSnapper before version 1.3.3 allowed a local attacker to use functions like "restore from snapshot" even if only allowed to do "delete snapshot".
CVE-2026-14716 1 Nextlevelbuilder 1 Goclaw 2026-07-07 6.3 Medium
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.13.0-beta.2. Impacted is the function MethodRouter.Handle of the file internal/gateway/router.go of the component WebSocket RPC Handler. Such manipulation leads to incorrect authorization. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report.
CVE-2026-13468 2 Themeisle, Wordpress 2 Visualizer – Tables & Charts Manager With Built-in Ai Generator, Wordpress 2026-07-06 7.5 High
The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site — including charts in draft, private, pending, future, or trash status — as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public 'visualizer' custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely.
CVE-2026-53902 1 Mycomplianceoffice 1 Mco 2026-07-06 N/A
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint. An authenticated user can modify their group membership without proper authorization checks, allowing privilege escalation. An attacker can add themselves to arbitrary groups by supplying a valid group ID, which can be obtained via other application functionalities (e.g. /customer/servlet/mco/webapi/group/picker/groups), provided he has necessary permissions, or potentially inferred through brute-force techniques. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
CVE-2026-53905 1 Mycomplianceoffice 1 Mco 2026-07-06 N/A
MCO does not properly enforce authorization checks in the /customer/servlet/mco/webapi/admin-view-hierarchy/get-acl-tree-structure endpoint. An authenticated, low-privileged user can retrieve administrator access control structures without proper authorization checks. This may expose sensitive permission mappings and internal configuration details. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
CVE-2026-57720 2 Codexpert, Wordpress 2 Thumbpress, Wordpress 2026-07-06 4.3 Medium
Missing Authorization vulnerability in Codexpert Inc ThumbPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThumbPress: from n/a through 6.3.2.
CVE-2026-57721 2 Wordpress, Wp Reloaded 2 Wordpress, Applyonline 2026-07-06 5.3 Medium
Missing Authorization vulnerability in WP Reloaded ApplyOnline allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ApplyOnline: from n/a through 2.6.7.6.
CVE-2025-69134 2 Merkulove, Wordpress 2 Openai Chatbot For Wordpress – Helper, Wordpress 2026-07-06 7.5 High
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions.
CVE-2026-39448 2 Coderpress, Wordpress 2 Nowpayments For Woocommerce, Wordpress 2026-07-06 7.5 High
Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions.
CVE-2026-57685 2 Drfuri, Wordpress 2 Martfury - Woocommerce Marketplace Wordpress Theme, Wordpress 2026-07-06 4.3 Medium
Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions.
CVE-2026-57688 2 Gurmehub, Wordpress 2 Pos Entegratör, Wordpress 2026-07-06 8.2 High
Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions.
CVE-2026-57689 2 Fuelthemes, Wordpress 2 Werkstatt, Wordpress 2026-07-06 4.3 Medium
Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions.
CVE-2026-57750 2 Keksdieb, Wordpress 2 Ez Form Calculator Premium, Wordpress 2026-07-06 5.3 Medium
Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions.
CVE-2026-57760 2 Sendcloud, Wordpress 2 Sendcloud Shipping, Wordpress 2026-07-06 5.3 Medium
Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29.
CVE-2026-12729 2 Wedevs, Wordpress 2 Wedocs: Ai Powered Knowledge Base, Docs, Documentation, Wiki & Ai Chatbot, Wordpress 2026-07-06 4.3 Medium
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins().
CVE-2026-27775 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.8 High
Gitea 1.25.5 caches a branch-specific write-permission result across multiple refs in one pre-receive hook session, allowing a per-branch maintainer-edit grant to be reused for other refs and escalate to full repository write access.
CVE-2026-27780 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 9.8 Critical
Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks.