820 matches found
PT-2026-3338
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel booking fetch customer info' AJAX action to unauthenticated users without proper capability checks, relying only on ...
CVE-2026-22236
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the...
CVE-2026-22238
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable admin API to create a new user with admin privileges. Successful...
CVE-2026-22236 Improper Authentication Vulnerability in BLUVOYIX
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the...
CVE-2026-22236
The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the...
CVE-2026-22236
Technical details about CVE-2026-22236 are not publicly available in the provided documents. The descriptions summarize improper backend API authentication but do not specify affected components, versions, impact specifics, or fixes. Monitor for updates from vendors and security feeds.
Bluspark BLUVOYIX 安全漏洞
Bluspark BLUVOYIX is a digital supply chain management platform from US-based Bluspark, Inc. Bluspark BLUVOYIX suffers from a security vulnerability that stems from improper authentication of the management API, which could lead an attacker to create new users with administrator privileges, which...
Bluspark BLUVOYIX 安全漏洞
Bluspark BLUVOYIX is a digital supply chain management platform from US-based Bluspark, Inc. Bluspark BLUVOYIX suffers from a security vulnerability that stems from improper back-end API authentication, which could lead to an attacker gaining full access to customer data and completely compromisi...
Bluspark BLUVOYIX 安全漏洞
Bluspark BLUVOYIX is a digital supply chain management platform from US-based Bluspark, Inc. Bluspark BLUVOYIX suffers from a security vulnerability that stems from improperly implemented password storage and exposure through an unauthenticated API, which could lead to an attacker retrieving the...
CVE-2022-0920
The Salon booking system Free and Pro WordPress plugins before 7.6.3 do not have proper authorisation in some of its endpoints, which could allow customers to access all bookings and other customer's data...
CVE-2023-49076
Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5...
CVE-2023-4198
Improper Access Control in Dolibarr ERP CRM = v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data...
CVE-2023-4145
Cross-site Scripting XSS - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2...
CVE-2025-14146 Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the WPBCFLEXTIMELINENAV AJAX action. This is due to the nonce verification being conditionally disabled by default bookingisnonceatfrontend option is 'Off' ...
CVE-2025-14146
CVE-2025-14146 is a Booking Calendar WordPress plugin issue (up to version 10.14.10) where unauthenticated attackers can exfiltrate sensitive booking data via the WPBC_FLEXTIMELINE_NAV AJAX action. The root cause is that nonce verification is conditionally disabled by default because the setting ...
One million customers on alert as extortion group claims massive Brightspeed data haul
US fiber broadband company Brightspeed is investigating claims by the Crimson Collective extortion group that it stole sensitive data belonging to more than 1 million residential customers, including extensive personally identifiable information PII, as well as account and billing details...
The Wegman’s Supermarket Chain Is Probably Using Facial Recognition
The New York City Wegman's is collecting biometric information about customers...
CVE-2019-7851
A cross-site request forgery vulnerability in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 can lead to unintended data deletion from customer pages...
CVE-2019-7951
An information leakage vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. A SOAP web service endpoint does not properly enforce parameters related to access control. This could be abused to leak customer information via crafted SOAP reques...
CVE-2019-16403
In Webkul Bagisto before 0.1.5, the functionalities for customers to change their own values such as address, review, orders, etc. can also be manipulated by other customers...