Lucene search
K

375 matches found

EUVD
EUVD
added 2 days ago6 views

EUVD-2026-43231

Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations. Attackers with org.updatesettings permission and an active SSO provider can call...

8.1CVSS6.1AI score0.00276EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 4 days ago9 views

CVE-2026-53448

A flaw was found in Coturn, a free open-source implementation of TURN and STUN Server. The HTTPS administration panel, specifically in the delete-user, delete-secret, and delete-IP operations, does not properly sanitize HTTP query parameters. This allows an authenticated administrator to inject...

7.2CVSS6.4AI score0.00677EPSS
Exploits0References7
NVD
NVD
added last week6 views

CVE-2026-50007

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with useraccess on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users...

7.2CVSS0.00246EPSS
Exploits0References5
Cvelist
Cvelist
added last week33 views

CVE-2026-50007 Actual: Shared users can perform owner-only file management actions

Actual is an open-source personal finance application. Prior to 26.7.0, a missing authorization issue allows a shared user with useraccess on a budget file to perform owner-only file management actions. A non-owner shared user can call file-management endpoints intended for higher-privilege users...

7.2CVSS0.00246EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.6 views

PT-2026-56243

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.7.0 Description A missing authorization issue allows a shared user with user access on a budget file to perform file management actions reserved for the owner or an administrator. This occurs because the...

7.2CVSS6.1AI score0.00246EPSS
Exploits0References10
Github Security Blog
Github Security Blog
added 2026/07/06 9:11 p.m.6 views

Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References9Affected Software1
Snyk
Snyk
added 2026/07/06 9:11 p.m.3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization due to insufficient validation in the IsAuthorized function. An attacker can maintain unauthorized access to AI Bridge LLM proxy endpoints by using previously issued, unexpired API tokens even after the associate...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/17 2:7 p.m.12 views

NocoDB: Refresh Tokens Persist Through Password Recovery

Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. Details passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated tokenversion and revoked OAuth tokens — it did...

6.3CVSS5.3AI score0.00242EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:28 p.m.11 views

CVE-2026-4002

The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajaxrevoketoken function which handles the 'petjeafdisconnect' AJAX action. The function performs destructive operations includin...

4.3CVSS5.5AI score0.00163EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.12 views

CVE-2026-8046

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges...

8.1CVSS5.5AI score0.00348EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.12 views

WordPress plugin WP Travel Pro 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

9.1CVSS5.8AI score0.00258EPSS
Exploits0References2
NVD
NVD
added 2026/05/26 8:16 a.m.17 views

CVE-2026-8046

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges...

8.1CVSS0.00348EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/26 6:45 a.m.45 views

CVE-2026-8046 Incorrect Authorization in CODESYS Control

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges...

8.1CVSS0.00348EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/26 6:45 a.m.12 views

EUVD-2026-31799

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges...

8.1CVSS5.8AI score0.00348EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.15 views

PT-2026-43198

The affected products insufficiently verify authorization when deleting user accounts. An authenticated, low-privileged remote user can exploit this vulnerability to delete other users, including those with higher privileges...

8.1CVSS5.8AI score0.00348EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/20 3:37 p.m.10 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the authorization process in UserDeactivateView, UserActivateView, and delete in wger/core/views/user.py due to improper gym-scope checks when both the attacker and victim have gym=None. An attacker with the...

9CVSS5.5AI score
Exploits0References3
NVD
NVD
added 2026/05/13 5:16 a.m.16 views

CVE-2026-7051

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2SPostTools::deleteUserPublishPost and B2SPostTools::deleteUserSchedPost functions,...

5.4CVSS0.00409EPSS
Exploits0References14
EUVD
EUVD
added 2026/04/16 6:31 a.m.5 views

EUVD-2026-23182

The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/deletecustomer without a permissioncallback, causing...

5.3CVSS5.7AI score0.00441EPSS
Exploits0References8
NVD
NVD
added 2026/04/16 6:16 a.m.4 views

CVE-2026-3595

The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/deletecustomer without a permissioncallback, causing...

5.3CVSS0.00441EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/04/16 5:29 a.m.4 views

CVE-2026-3595

The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/deletecustomer without a permissioncallback, causing...

5.3CVSS5.7AI score0.00441EPSS
Exploits0References8
Rows per page
Query Builder