64828 matches found
CVE-2026-44408 Unauthorized access vulnerability in ZTE MU5250
There is an unauthorized access vulnerability in ZTE MU5250. Due to improper permission control of the Web interface, an unauthorized attacker can modify configuration through the interface...
CVE-2026-44408 Unauthorized access vulnerability in ZTE MU5250
There is an unauthorized access vulnerability in ZTE MU5250. Due to improper permission control of the Web interface, an unauthorized attacker can modify configuration through the interface...
CVE-2026-31071
API endpoints in LalanaChami Pharmacy Management System commit 5c3d028 lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records including bcrypt password hashes via /api/user/getUserData, modify drug inventory, and access private medical...
Keycloak 安全漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak. There is a security vulnerability in Keycloak. This vulnerability stems from an insecure direct object reference issue in the authorization service’s protected API endpoints. It allows authenticated clients ...
MLflow 访问控制错误漏洞
MLFlow is an open-source platform that simplifies machine learning development. It includes features for tracking experiments, packaging code for reproducible runs, and sharing and deploying models. Version 3.9.0 of MLFlow contains a security vulnerability related to access control. This...
Sparx Enterprise Architect 安全漏洞
Sparx Enterprise Architect is a modeling and design tool developed by the Australian company Sparx. Versions of Sparx Enterprise Architect prior to 17.1 contained security vulnerabilities. These vulnerabilities stemmed from security features that restricted user actions. Authorized attackers coul...
PT-2026-41894
Name of the Vulnerable Software and Affected Versions Sparx Enterprise Architect versions 17.1 and earlier Description A security feature intended to limit user actions based on assigned roles can be bypassed. An authenticated attacker can modify the client behavior, for example by using a...
CVE-2026-31071
API endpoints in LalanaChami Pharmacy Management System commit 5c3d028 lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records including bcrypt password hashes via /api/user/getUserData, modify drug inventory, and access private medical...
MAL-2026-4027 Malicious code in @antv/hierarchy (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
ZTE MU5250 信息泄露漏洞
The ZTE MU5250 is a 5G mobile Wi-Fi device produced by ZTE Corporation. The ZTE MU5250 has a vulnerability related to information leakage, which stems from improper control of web interface permissions. Unauthorized attackers can modify the configuration through these interfaces...
CVE-2026-31071
CVE-2026-31071 affects LalanaChami Pharmacy Management System (version 5c3d028). The API endpoints lacking authentication middleware are "/api/user/getUserData" and "/api/doctorOder", enabling unauthenticated remote attackers to dump all user records (including bcrypt password hashes), modify dru...
MAL-2026-4014 Malicious code in @antv/gi-public-data (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
CVE-2026-45345
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.5.7, a user can modify another user's model even if its visibility is set to Private. By changing the access permissions during editing, unauthorized access can be gained. This...
CVE-2026-3637
Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...
CVE-2026-1631
The Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4's license key due to a missing capability check on the...
CVE-2026-1631 Feeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion
The Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4's license key due to a missing capability check on the...
CVE-2026-1631
The Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4's license key due to a missing capability check on the...
EUVD-2026-30735
The Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4's license key due to a missing capability check on the...
PT-2026-41635
The Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4's license key due to a missing capability check on the...
CVE-2018-25336
jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details...