95 matches found
EUVD-2026-30520
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
CVE-2026-8425
The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the Notify Odoo URL to ...
CVE-2026-41903
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user holding the PERMEDITUSERS permission intended for general user-profile editing can read and modify the notification subscriptions of any other user, including admins, by sending a...
CVE-2026-7841
A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the fronte...
CVE-2026-7841
GV-ASWeb 6.2.0 contains a remote code execution via the ASWebCommon.srf backend when an authenticated user with System Setting permissions sends a crafted HTTP POST to bypass frontend restrictions. CVSSv3.1: 8.8 (HIGH), AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Exploitation status is not provided in t...
CVE-2026-7841 GV-ASWeb Remote Code Execution (RCE) vulnerability
A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the fronte...
CVE-2026-7841 GV-ASWeb Remote Code Execution (RCE) vulnerability
A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the fronte...
CVE-2026-7841
A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the fronte...
PT-2026-37354
A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on the server by sending a crafted HTTP POST request to the ASWebCommon.srf backend endpoint to bypass the fronte...
MAL-2026-1805 Malicious code in notification-settings-layout (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 77ec9a9823eefe0c031995eea2a7f2fc660ebf4843a6aaf365c042a8dbab2cb7 The package notification-settings-layout was found to contain malicious code...
Malicious code in notification-settings-layout (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 77ec9a9823eefe0c031995eea2a7f2fc660ebf4843a6aaf365c042a8dbab2cb7 The package notification-settings-layout was found to contain malicious code...
StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings
Summary The updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account id !== userData.user.id. Any authenticated visitor...
CVE-2026-32104
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never...
CVE-2026-32104 StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never...
PT-2026-24821
Summary The updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account id !== userData.user.id. Any authenticated visitor...
CVE-2026-23964
Mastodon vendor: Mastodon server (ActivityPub). Vulnerability CVE-2026-23964 is an insecure direct object reference in the web push subscription update endpoint affecting versions < 4.5.5, < 4.4.12, and
CVE-2025-14948 miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification
The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enablewcsmsnotification AJAX action in all versions up to, and including, 4.3.8. This makes it possible for...
WordPress miniOrange OTP Verification and SMS Notification for WooCommerce plugin <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification vulnerability
Missing Authorization to Unauthenticated Notification Settings Modification vulnerability discovered by Abdualrhman Muzamil - 0bytes in WordPress Plugin miniOrange OTP Verification and SMS Notification for WooCommerce versions = 4.3.8...
CVE-2025-67715
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue...
PYSEC-2025-233
Weblate is a web based localization tool. In versions prior to 5.15, it was possible to retrieve user notification settings or list all users via API. Version 5.15 fixes the issue...