21417 matches found
CVE-2026-27435
Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33...
WordPress Ninja Forms – The Contact Form Builder That Grows With You plugin <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure vulnerability
Missing Authorization to Unauthenticated Sensitive Information Disclosure vulnerability discovered by suyoung kimAhnLab - AhnLab in WordPress Plugin Ninja Forms versions = 3.14.1...
CVE-2026-27435
WordPress Woffice theme versions before 5.4.33 are affected by a Missing Authorization vulnerability due to incorrectly configured access control. CVSSv3.1: 5.3 (Network, Low privileges, No user interaction). Impact: Integrity impact (LOW); others None. Affected: Woffice theme (WordPress)
EUVD-2026-40940
Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33...
CVE-2026-1239
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for...
CVE-2026-12133
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsportseasongroupdel AJAX handler, which only...
CVE-2026-13484
A flaw was found in MLflow. This vulnerability, located in the Experiment-scoped Label Schema CRUD API, allows a remote attacker to exploit missing authorization. This could lead to unauthorized access or manipulation of data within the affected component. The attack has a high complexity, making...
CVE-2026-12133
Summary: The JoomSport – for Sports: Team & League, Football & more plugin for WordPress (up to version 5.7.8) is vulnerable to Missing Authorization to Arbitrary Group Deletion via the joomsport_season_groupdel() AJAX handler. The issue arises from a missing capability check; the handler only ve...
WordPress RSVP and Event Management <2.7.8 - Missing Authorization
WordPress RSVP and Event Management plugin before 2.7.8 is susceptible to missing authorization. The plugin does not have any authorization checks when exporting its entries, and the export function is hooked to the init action. An attacker can potentially retrieve sensitive information such as...
WCFM Membership <= 2.10.0 - Broken Access Control
The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings. id: CVE-2022-4940 info:...
PublishPress Capabilities < 2.3.1 - Missing Authorization
The PublishPress Capabilities plugin for WordPress before 2.3.1 does not have proper authorization and CSRF checks when updating settings via the init hook, allowing unauthenticated attackers to update arbitrary blog options, such as setting the default role to administrator. id: CVE-2021-25032...
WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization
WPZOOM Social Icons Widget & Block versions up to 4.2.15 contain a missing authorization vulnerability caused by insufficient access control in the widget and block, letting attackers perform unauthorized actions, exploit requires no special conditions. id: CVE-2024-30464 info: name: WPZOOM Socia...
LottieFiles WordPress Plugin <= 3.0.0 - Missing Authorization
LottieFiles LottieFiles = 3.0.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers exploit missing authorization, exploit requires no special privileges. id: CVE-2025-68043 info: name: LottieFiles WordPress Plugin =...
CVE-2026-9132
A missing authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to read source code from private repositories they did not have access to. The Copilot pull request description diff summary endpoint accepted a cross-repository comparison range an...
WordPress Appointment Booking Calendar plugin <= 1.4.02 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure vulnerability
Missing Authorization to Authenticated Contributor+ Sensitive Information Disclosure vulnerability discovered by PRISM in WordPress Plugin Appointment Booking Calendar versions = 1.4.02...
CVE-2026-58377 JeecgBoot 3.9.2 - Missing Authorization on OpenAPI Credential Management Endpoints Exposes Access/Secret Keys
JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro...
CVE-2026-58176 RuoYi-Vue-Plus - Missing Authorization on Workflow Task Management Endpoints
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...
EUVD-2026-40276
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing...
CVE-2026-54475
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing...
CVE-2026-57949
ruoyi-vue-pro (through 2026.05) contains a missing authorization vulnerability in the CRM module’s GET /admin-api/crm/follow-up-record/get endpoint. The issue allows an authenticated user to read any follow-up record by iterating sequential numeric IDs, exfiltrating follow-up notes, file attachme...