CVE-2026-35412

Directus prior to 11.16.1 is vulnerable to an authorization bypass in the TUS resumable upload endpoint (/files/tus). The TUS controller only performs collection-level authorization on directus_files and does not validate item-level access for the target file, allowing any authenticated user with...

PT-2026-30715

Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference IDOR vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL b...

CVE-2026-4202

The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page...

CVE-2026-4202 Broken Access Control in extension "Redirect Tab"

The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page...

EUVD-2018-2653

Malware in sbrugna...

EUVD-2015-8698

Malware in sbrugna...

CVE-2025-54832

OPEXUS FOIAXpress Public Access Link PAL, version v11.1.0, allows an authenticated user to add entries to the list of states and territories...

CVE-2023-2173

The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeosdeletestepajaxhandler, badgeosdeleteawardstepajaxhandler, badgeosdeletedeductstepajaxhandler,...

CVE-2020-12760

An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects aka ActiveMQ Minion payload deserialization, leading to remote code execution for any...

CVE-2024-28098

The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. These management operations should be restricted to users with the tenant admin role or super user role. This issue affects Apache...

CVE-2023-29868

Zammad 5.3.x Fixed in 5.4.0 is vulnerable to Incorrect Access Control. An authenticated attacker with agent and customer roles could perform unauthorized changes on articles where they only have customer permissions...

CVE-2022-4703 Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Import Deletion

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprresetpreviousimport' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to reset previously imported da...