PT-2026-51012

Name of the Vulnerable Software and Affected Versions gonic versions prior to 0.21.0 Description The Subsonic API endpoints '/rest/deletePlaylist.view' and '/rest/getPlaylist.view' lack per-resource authorization. An authenticated user, regardless of privilege level, can delete any playlist or re...

CVE-2026-53469

A flaw was found in migration-planner. An authenticated user can exploit this vulnerability by sending a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This allows for the destruction of all customer data, including sources, agents, and assessments,...

CVE-2026-8418 Games Catalog <= 1.2.0 - Cross-Site Request Forgery to Arbitrary Game/Post Deletion

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

CVE-2026-0259 WildFire WF-500 and WF-500-B: Arbitrary File Read and Delete Vulnerability in WildFire Appliance (WF-500, WF-500-B)

An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode. The...

IDOR in Annotations API allows unprivileged users to DELETE annotation

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...

EUVD-2026-29885

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php causes a logged-in ChurchCRM user with the relevant role to silently delete records,...

Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

Summary SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these...

Missing Authorization

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Missing Authorization in the delete process. An attacker can remove tags and disrupt FAQ organization by sending crafted DELETE requests to the admin AP...

CVE-2026-39402

lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the findline function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a...

CVE-2026-40304

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environmentid = NULL the marker for admin-created global frontends, the conditio...

SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`

Summary An authenticated publish-service reader can invoke /api/av/removeUnusedAttributeView and cause persistent deletion of arbitrary attribute view AV definition files from the workspace. The route is protected only by generic CheckAuth, which accepts publish RoleReader requests. The handler...

CVE-2026-3723 code-projects Simple Flight Ticket Booking System Admindelete.php sql injection

A security flaw has been discovered in code-projects Simple Flight Ticket Booking System 1.0. This affects an unknown function of the file /Admindelete.php. The manipulation of the argument flightno results in sql injection. The attack may be performed from remote. The exploit has been released t...

SourceCodester Modern Image Gallery App 路径遍历漏洞

SourceCodester Modern Image Gallery App is an open-source modern image gallery application developed by SourceCodester. Version 1.0 of the SourceCodester Modern Image Gallery App contains a path traversal vulnerability, which arises from incorrect handling of the parameter filename in the file...

CVE-2025-70150

CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter. The CVE-2025-70150 entry uses a network-exposed, unauthenticated path with high impact to...

CVE-2026-1310

The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the migaajaxeditorcaldelete function that is hooked to the migaeditorcaldelete AJAX action with both authenticated...

CVE-2022-33882

Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app ADA. An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code...

Soft Serve is missing an authorization check in LFS lock deletion

LFS Lock Force-Delete Authorization Bypass Summary An authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before...

Blood Bank Management System 安全漏洞

Blood Bank Management System is a blood bank management system by shridhar shukla individual developer. A security vulnerability exists in Blood Bank Management System version 1.0, which stems from an elevation of privilege issue in delete.php...

CVE-2025-13782

Affects taosir WTCMS (SlideController component). The delete function in application/Admin/Controller/SlideController.class.php accepts an ids parameter and can be abused to perform SQL injection. This is exploitable remotely; public exploit is referenced. Affected versions are prior to 01a5f68a3...

EUVD-2021-18889

Malware in sbrugna...