2294 matches found
CVE-2026-49353 9Router: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
9Router is an AI router & token saver. In 0.4.45 and earlier, 9Router's src/dashboardGuard.js local-only access gate used Host and Origin headers in isLocalRequest to protect /api/mcp/, /api/tunnel/, and /api/cli-tools/, allowing header spoofing in reverse proxy or tunnel deployments to reach MCP...
CVE-2026-56352 n8n - Arbitrary File Read and Execution via ExecuteWorkflow localFile Parameter
n8n before 2.19.3 contains a file path restriction bypass in the legacy ExecuteWorkflow node's localFile source option, which reads workflow files from disk without the file-access checks enforced by other file-reading nodes. Although hidden from the UI since v1.2, it remains reachable via the RE...
CVE-2026-61952
Missing Authorization vulnerability in Jose Vega WooCommerce Bulk Edit Products – WP Sheet Editor woo-bulk-edit-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Edit Products – WP Sheet Editor: from n/a through = 1.8.21...
CVE-2026-15079
The CVE-2026-15079 entry concerns the Drupal Login Disable module, affected on versions 0.0.0 through 2.1.4. The underlying issue is an improper restriction of excessive authentication attempts, which can enable brute-force login attempts to bypass protection. The attack surface is the Drupal log...
CVE-2026-58590
FlowDrop for Drupal is affected by a Missing Authorization vulnerability that enables forceful browsing. Publicly reported details cover FlowDrop versions 0.0.0 through 1.6.0 as vulnerable. The root cause is insufficient access checks, allowing unauthorized navigation to access resources. The iss...
CVE-2026-58589 FlowDrop - Moderately critical - Access bypass - SA-CONTRIB-2026-067
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0...
CVE-2026-58589
CVE-2026-58589 describes a Missing Authorization vulnerability in Drupal FlowDrop (FlowDrop versions 0.0.0 to 1.6.0) allowing forceful browsing to access endpoints without proper permissions. The issue affects the FlowDrop module used for AI-driven workflows via a chat interface, where endpoints ...
CVE-2026-13241 Paragraphs - Moderately critical - Access bypass - SA-CONTRIB-2026-061
Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0...
CVE-2026-13241
Summary: CVE-2026-13241 describes a Missing Authorization vulnerability in Drupal Paragraphs (affecting Paragraphs 0.0.0 – 1.21.0) compounded by the Paragraphs Library module. The issue allows forceful browsing because access to direct child paragraphs of library items via API endpoints is not su...
CVE-2026-13239
Summary: CVE-2026-13239 describes a Missing Authorization vulnerability in WissKI, enabling forceful browsing via the wisski mirador submodule. Affected software: WissKI versions 0.0.0 through 4.2.0. Root cause (per documents): insufficient access checks when parameters are submitted through a ro...
CVE-2026-13239 WissKI - Critical - Access bypass - SA-CONTRIB-2026-059
Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0...
CVE-2026-13238 Commerce Realex / Global Payments - Moderately critical - Access Bypass - SA-CONTRIB-2026-058
Incorrect Authorization vulnerability in Drupal Commerce Realex / Global Payments allows Forceful Browsing. This issue affects Commerce Realex / Global Payments versions: from 0.0.0 to 3.0.2...
CVE-2026-13238
CVE-2026-13238 describes an incorrect authorization flaw in Drupal Commerce Realex / Global Payments. The issue permits forceful browsing when the gateway is configured with the redirect payment method, due to insufficient verification of the payment response from Global Payments. Affected versio...
CVE-2026-13237 AI Agents - Moderately critical - Information disclosure, Access bypass - SA-CONTRIB-2026-057
Incorrect Authorization vulnerability in Drupal AI Agents allows Forceful Browsing. This issue affects AI Agents versions: from 0.0.0 to 1.1.4, from 1.2.0 to 1.2.5, from 1.3.0 to 1.3.1...
CVE-2026-13237
CVE-2026-13237 affects Drupal AI Agents (versions 0.0.0–1.1.4, 1.2.0–1.2.5, 1.3.0–1.3.1). Root cause: Incorrect Authorization allowing Forceful Browsing, potentially enabling information disclosure and minor integrity concerns. The issue is documented across multiple sources (Drual SA-CONTRIB-202...
CVE-2026-13236
The CVE CVE-2026-13236 concerns a Missing Authorization issue in Drupal AI Agents that enables forceful browsing. Technical details across connected sources show that the vulnerability resides in the Drupal AI Agents module, where the tool-loading path does not sufficiently verify permissions on ...
CVE-2026-13235 AI (Artificial Intelligence) - Moderately critical - Access bypass - SA-CONTRIB-2026-055
Missing Authorization vulnerability in Drupal AI Artificial Intelligence allows Forceful Browsing. This issue affects AI Artificial Intelligence versions: from 0.0.0 to 1.2.17, from 1.3.0 to 1.3.8, from 1.4.0 to 1.4.3...
CVE-2026-13232 Advanced Content Feedback (aka admin_feedback) - Moderately critical - Access bypass / Insecure Direct Object Reference (IDOR) - SA-CONTRIB-2026-052
Incorrect Authorization vulnerability in Drupal Advanced Content Feedback aka adminfeedback allows Forceful Browsing. This issue affects Advanced Content Feedback aka adminfeedback versions: from 0.0.0 to 2.8.0...
CVE-2026-11909 Examples for Developers - Moderately critical - Access bypass - SA-CONTRIB-2026-044
Missing Authorization vulnerability in Drupal Examples for Developers allows Forceful Browsing. This issue affects Examples for Developers versions: from 0.0.0 to 4.0.6...
CVE-2026-59225
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.8.12 before 0.10.0, an authenticated non-admin user with read access to an arena wrapper model can reach a restricted underlying model through task endpoints such as /api/v1/tasks/moa/completions. The...