32 matches found
EUVD-2026-23360
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutorupdatecoursecontentorder function. The function only validates the...
CVE-2026-3645
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...
CVE-2026-3645 Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action
The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...
EUVD-2026-10443
Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced...
CVE-2026-21896
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by...
Kirby is missing permission checks in the content changes API
TL;DR This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. If developers haven't configured any user...
GHSA-4J78-4XRM-CR2F Kirby is missing permission checks in the content changes API
TL;DR This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by disabling the update permission with the intent to prevent modifications to site content. If developers haven't configured any user...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the content changes API when permission checks are not properly enforced. An attacker can modify site content by sending unauthorized write requests. Note: This is only exploitable if user permissions have be...
CVE-2026-21896
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by...
CVE-2026-21896 Kirby is missing permission checks in the content changes API
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by...
CVE-2026-21896
Kirby (CMS) versions 5.0.0–5.2.1 contain missing permission checks in the content changes API. This allows attackers with Panel access to manipulate the changes version or content fields, potentially creating editing locks, injecting content, or discarding edits across any model, when user permis...
CVE-2026-21896 Kirby is missing permission checks in the content changes API
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by...
EUVD-2026-1473
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by...
CVE-2026-21896 Kirby is missing permission checks in the content changes API
Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to prevent specific roles from performing write actions, specifically by...
PT-2026-2126
Name of the Vulnerable Software and Affected Versions Kirby versions 5.0.0 through 5.2.1 Description Kirby is an open-source content management system. Versions 5.0.0 through 5.2.1 are missing permission checks in the content changes API. This affects Kirby sites where user permissions are...
CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...
GHSA-7VHP-VF5G-R2FW pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...
CVE-2025-59803
Affected software: Foxit PDF Editor and Foxit Reader (before 2025.2.1).Root cause: Signature spoofing via triggers embedded in PDFs (e.g., JavaScript) that execute during the signing process, allowing content to be modified after a signer reviews it.Impact: The signed PDF can differ from what the...
CVE-2025-59803
Foxit PDF Editor and Reader before 2025.2.1 allow signature spoofing via triggers. An attacker can embed triggers e.g., JavaScript in a PDF document that execute during the signing process. When a signer reviews the document, the content appears normal. However, once the signature is applied, the...