657 matches found
CVE-2026-57400
The CVE-2026-57400 entry concerns the WordPress plugin Event Tickets Manager for WooCommerce. A Missing Authorization vulnerability is described as due to Incorrectly Configured Access Control Security Levels, affecting the plugin’s “Event Tickets Manager for WooCommerce” component in versions up...
CVE-2026-57406 WordPress FundEngine plugin <= 1.7.6 - Broken Access Control vulnerability
Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through = 1.7.6...
CVE-2026-4298
The DSGVO All in one for WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 4.9. This is due to the dsgvoresetpolicyservicefunc function lacking both capability checks and nonce verification while processing user-supplied parameters to reset plugin...
CVE-2026-55433 Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, perform...
CVE-2026-35552
The CVE covers CAXperts UPVWebServices (versions 2.4.2212.603–2.7.6) and UDiTH Portal (2026.0.0–2026.2.0). An authenticated remote user can call an administrative API endpoint intended for privileged users because authorization checks are missing, enabling the attacker to deactivate the applicati...
EUVD-2026-41995
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes...
CVE-2026-34048
CVE-2026-34048 concerns Coolify prior to 4.0.0-beta.471, where terminal websocket bootstrap routes failed to enforce terminal authorization, only checking authentication. This allowed a low-privileged team member to connect to terminal routes and execute commands on team servers. The issue is fix...
CVE-2026-34048 Coolify: Missing authorization on terminal websocket bootstrap routes allows low-privileged members to execute commands on team servers
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, terminal websocket bootstrap routes only check authentication and do not enforce terminal authorization, allowing a low-privileged team member to connect to terminal routes...
CVE-2026-34167
Coolify (open-source self-hosted) has a vulnerability in the ActivityMonitor Livewire component prior to version 4.0.0-beta.471: a public $activityId property is not protected with Livewire’s #[Locked] attribute, allowing any authenticated user to enumerate activity records across all teams and r...
CVE-2026-42331
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Guest API invoice/update endpoint is missing an authorization check present in other invoice-related endpoints, allowing an unauthenticated user with knowledge of an invoice hash to modify the...
CVE-2026-9132 Missing authorization vulnerability in GitHub Enterprise Server allowed disclosure of private repository contents via the Copilot pull request diff summary endpoint
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range an...
CVE-2026-54475
A flaw was found in Apache ActiveMQ. Temporary destinations, which are designed to be private to a specific connection, can be accessed by other connections due to a missing authorization check. This allows an unauthorized connection to consume messages from another connection's temporary...
EUVD-2026-31975
obanweb missing authorization check on save-job event handler...
CVE-2026-58176
CVE-2026-58176 affects RuoYi-Vue-Plus up to version 5.6.2. The FlwTaskController’s /workflow/task endpoints lacked any class- or method-level authorization, leaving task management actions (updateAssignee, urging tasks, and listing with pageByAllTaskWait/pageByAllTaskFinish) gated only by global ...
CVE-2026-54475 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing...
CVE-2026-57949 ruoyi-vue-pro - Missing Authorization in CRM Follow-up Record GET Endpoint
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this ...
CVE-2026-55838 RustFS: Missing admin authorization on /rustfs/admin/v3/metrics allows any authenticated user to read server metrics
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validateadminrequest to...
BIT-NIFI-2026-44914 Apache NiFi: Missing Authorization of Restricted Permissions when Replacing Flow Contents
Apache NiFi 1.12.0 through 2.9.0 are missing authorization when replacing Process Groups that include extension components with specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required, but framework authorization did not...
CVE-2026-8617 SearchPlus <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion via searchplus_save_token & searchplus_reset_token AJAX Actions
The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplussavetokenactioncallback and searchplusresettokenactioncallback...
Missing Authorization
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Missing Authorization in the selectlist API endpoint due to missing authorization checks. An attacker can enumerate all active user accounts, harvest usernames, collect...