CVE-2026-41192

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in attachmentsall but omitted from retained lists are decrypted and passed directly to Attachment::deleteByIds. Because...

PT-2026-34039

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.215 Description The reply and draft flows trust encrypted attachment IDs supplied by the client. Any IDs included in the attachments all variable but omitted from retained lists are decrypted and passed to the...

CVE-2026-33678 Vikunja has IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads ...

CVE-2026-2312

The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the deletemaxgalleriamedia and maxgalleriarenameimage functions due to missing validation on a user controlled key. This makes it possible for...

CVE-2026-2312

WordPress Plugin Media Library Folders

WordPress plugin Media Library Folders 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2025-13391

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO Premium plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'unicporemovefile' function in all versions up to, and including, 4.9.60. This makes it possible for...

CVE-2025-13391

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO Premium plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'unicporemovefile' function in all versions up to, and including, 4.9.60. This makes it possible for...

SUSE CVE-2026-20736

Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access...

CVE-2025-14913

CVE-2025-14913 affects the Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin. It allows unauthenticated attackers to delete arbitrary attachments due to an incorrect authorization check in the media_delete_action function, affecting all versions up to 1.2.6. CVSS 3.1 base ...

PT-2025-53417

Name of the Vulnerable Software and Affected Versions Frontend Post Submission Manager Lite WordPress Plugin versions through 1.2.6 Description The Frontend Post Submission Manager Lite WordPress Plugin is affected by a flaw that allows unauthorized data loss. An incorrect authorization check...

memos vulnerability allows arbitrarily modification or deletion of attachments

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users...

CVE-2025-65798

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users...

CVE-2025-65798

The CVE-2025-65798 entry concerns usememos memos v0.25.2 with an incorrect access-control flaw that lets low-privilege attackers modify or delete attachments belonging to other users. The connected advisories confirm this is a real vulnerability in the memos server/router/api/v1 surface (and rela...

PT-2025-49234

The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto delete file AJAX action in all versions up to, and including, 5.1.19. This makes it possible for unauthenticated attackers to delete...

CVE-2025-11996

The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fuideleteimage and fuideleteallimages functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site...

EUVD-2025-60967

The Find Unused Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the fuideleteimage and fuideleteallimages functiosn in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to delete all of a site...

CVE-2023-0335

The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment...

CVE-2022-1779

The Auto Delete Posts WordPress plugin through 1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and delete specific posts, categories and attachments at once...

CVE-2009-3258

vtiger CRM before 5.1.0 allows remote authenticated users, with certain View privileges, to delete 1 attachments, 2 reports, 3 filters, 4 views, and 5 tickets; insert 6 attachments, 7 reports, 8 filters, 9 views, and 10 tickets; and edit 11 reports, 12 filters, 13 views, and 14 tickets via...