Lucene search
K

1225 matches found

EUVD
EUVD
added 2026/04/22 9:31 a.m.4 views

EUVD-2026-24658

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...

5.3CVSS5.7AI score0.00364EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2026/04/22 9:27 a.m.3 views

CVE-2026-1930 Emailchef <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion

The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pageoptionsajaxdisconnect function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above...

4.3CVSS5.7AI score0.00261EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/22 12:31 a.m.5 views

EUVD-2026-24550

An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacker to determine the names of private repositories by their numeric ID. The mobile upload policy API endpoint did not perform an early authorization check, and validation error...

5.3CVSS5.8AI score0.00296EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.9 views

PT-2026-34453

Name of the Vulnerable Software and Affected Versions OpenRemote versions prior to 1.22.1 Description A user possessing the write:admin role in one Keycloak realm can utilize the Manager API to update Keycloak realm roles for users in a different realm, including the master realm. The issue exist...

7CVSS5.8AI score0.00285EPSS
Exploits1References7
Cvelist
Cvelist
added 2026/04/21 11:32 p.m.37 views

CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS0.00248EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/21 11:32 p.m.5 views

CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS5.9AI score0.00248EPSS
Exploits0References2
CVE
CVE
added 2026/04/21 11:32 p.m.16 views

CVE-2026-41128

Craft CMS (versions 5.6.0–5.9.14) contains an authorization flaw in the actionSavePermissions() endpoint. A user with only viewUsers permission can remove arbitrary users from all groups because _saveUserGroups() lacks a corresponding removal authorization check for an empty groups payload. This ...

5.3CVSS5.9AI score0.00248EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/17 3:36 a.m.33 views

CVE-2026-5502 Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutorupdatecoursecontentorder function. The function only validates the...

5.3CVSS0.00465EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/17 3:36 a.m.4 views

CVE-2026-5502

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutorupdatecoursecontentorder function. The function only validates the...

5.3CVSS5.7AI score0.00465EPSS
Exploits0References7
Snyk
Snyk
added 2026/04/15 7:46 p.m.4 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes through the updateUserPreference process. An attacker can alter restricted financial attributes by sending crafted API requests to modify their own hourlyrat...

5.3CVSS5.8AI score0.00267EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/14 12:8 a.m.2 views

CVE-2026-34256 Missing Authorization check in SAP ERP and SAP S/4 HANA (Private Cloud and On-Premise)

Due to a missing authorization check in SAP ERP and SAP S/4HANA Private Cloud and On-Premise, an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed...

7.1CVSS5.8AI score0.00221EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/14 12:8 a.m.9 views

EUVD-2026-22166

Due to a missing authorization check in SAP ERP and SAP S/4HANA Private Cloud and On-Premise, an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed...

7.1CVSS5.8AI score0.00221EPSS
Exploits0References2
CVE
CVE
added 2026/04/14 12:6 a.m.10 views

CVE-2026-27672

CVE-2026-27672 affects the Material Master application. The issue is that authenticated users can execute reports without proper authorization checks, leading to disclosure of sensitive information. According to the sources, impact on confidentiality is low; integrity and availability are not aff...

4.3CVSS5.8AI score0.00168EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/14 12:6 a.m.26 views

CVE-2026-27672 Missing Authorization check in Material Master Application

The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system...

4.3CVSS0.00168EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.10 views

PT-2026-32568

Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects...

6.5CVSS5.8AI score0.00213EPSS
Exploits0References3
OSV
OSV
added 2026/04/10 7:32 p.m.2 views

GHSA-7M5H-W69J-QGGG SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`

Summary An authenticated publish-service reader can invoke /api/av/removeUnusedAttributeView and cause persistent deletion of arbitrary attribute view AV definition files from the workspace. The route is protected only by generic CheckAuth, which accepts publish RoleReader requests. The handler...

8.1CVSS5.9AI score0.004EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/10 7:32 p.m.7 views

SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`

Summary An authenticated publish-service reader can invoke /api/av/removeUnusedAttributeView and cause persistent deletion of arbitrary attribute view AV definition files from the workspace. The route is protected only by generic CheckAuth, which accepts publish RoleReader requests. The handler...

8.1CVSS5.9AI score0.004EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/08 12:4 a.m.2 views

GHSA-V9W4-GM2X-6RVF File Browser share links remain accessible after Share/Download permissions are revoked

When an admin revokes a user's Share and Download permissions, existing share links created by that user remain fully accessible to unauthenticated users. The public share download handler does not re-check the share owner's current permissions. Verified with a running PoC against v2.62.2 commit...

8.2CVSS5.8AI score0.00332EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/07 6:58 p.m.2 views

CVE-2026-39360 RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration

RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path UploadPartCopy. A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an...

5.3CVSS5.9AI score0.00201EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/07 2:12 p.m.19 views

CVE-2026-5383 runZero Explorer missing authorization check

An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L 4.4 Medium. This issue was fixed in...

4.4CVSS0.00179EPSS
Exploits0References2
Rows per page
Query Builder