Lucene search
K

39 matches found

EUVD
EUVD
added yesterday6 views

EUVD-2026-43288

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS6.2AI score0.0014EPSS
Exploits0References2
NVD
NVD
added yesterday4 views

CVE-2026-12273

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS0.0014EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday13 views

CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

0.0014EPSS
Exploits0References1
NVD
NVD
added 4 days ago6 views

CVE-2026-39903

Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated...

7.1CVSS0.00333EPSS
Exploits0References5
CVE
CVE
added 4 days ago8 views

CVE-2026-39903

The CVE concerns Simple Machines Forum (SMF) 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5. A single-character operator error in Sources/Actions/AttachmentApprove.php causes the permission check to always pass, enabling an authenticated low-privilege user to approve, reject, or delete any pendi...

7.1CVSS6.1AI score0.00333EPSS
Exploits0References5
Cvelist
Cvelist
added 4 days ago27 views

CVE-2026-39903 Simple Machines Forum Authorization Bypass via AttachmentApprove.php

Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated...

7.1CVSS0.00333EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42941

Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated...

7.1CVSS6.1AI score0.00333EPSS
Exploits0References5
CVE
CVE
added 2026/07/03 4:30 a.m.18 views

CVE-2026-9626

The CVE-2026-9626 entry concerns the WordPress JSON API User plugin (

6.4CVSS5.9AI score0.00228EPSS
Exploits0References6
NVD
NVD
added 2026/05/14 5:16 a.m.27 views

CVE-2026-7525

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS0.00341EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.17 views

PT-2026-40850

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS5.8AI score0.00341EPSS
Exploits0References13
OSV
OSV
added 2026/04/20 6:31 a.m.7 views

GHSA-F3Q6-69F3-VWCH FastChat has a Content Moderation Bypass via Arena Side-by-Side Views

A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function addtext of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was...

6.9CVSS5.7AI score0.00308EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2026/04/01 11:1 p.m.3 views

CVE-2026-34738

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

4.3CVSS6AI score0.00238EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/04/01 9:7 p.m.7 views

AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

Summary AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and draft workflows. The setStatus method validates the status code again...

4.3CVSS6.1AI score0.00238EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/04/01 9:7 p.m.8 views

EUVD-2026-17656

AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter...

4.3CVSS5.8AI score0.00238EPSS
Exploits1References3
OSV
OSV
added 2026/04/01 9:7 p.m.6 views

GHSA-M577-W9J8-CH7J AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

Summary AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and draft workflows. The setStatus method validates the status code again...

4.3CVSS6.1AI score0.00238EPSS
Exploits1References4
NVD
NVD
added 2026/03/31 9:16 p.m.4 views

CVE-2026-34738

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

4.3CVSS0.00238EPSS
Exploits1References1
CVE
CVE
added 2026/03/31 8:55 p.m.10 views

CVE-2026-34738

CVE-2026-34738 affects WWBN AVideo (

4.3CVSS5.9AI score0.00238EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/03/31 8:55 p.m.22 views

CVE-2026-34738 AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

4.3CVSS0.00238EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/31 8:55 p.m.3 views

CVE-2026-34738 AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

4.3CVSS5.9AI score0.00238EPSS
Exploits1References1
OSV
OSV
added 2026/03/31 8:55 p.m.5 views

CVE-2026-34738 AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

4.3CVSS6AI score0.00238EPSS
Exploits1References3
Rows per page
Query Builder