CVE-2026-44328

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/upNodeRef handler unconditionally dereferences upNode.UPF after the type-guarded...

CVE-2026-31242

The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE SQL statement. Th...

CVE-2026-27482 Ray: Dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)

Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable e.g., --dashboard-host=0.0.0.0, a web page via DNS rebinding o...

CVE-2026-27482

CVE-2026-27482 affects Ray’s dashboard HTTP server. In versions 2.53.0 and below, DELETE endpoints are unauthenticated, and the server may be reachable on 0.0.0.0, enabling a browser-based request (DNS rebinding or same-network) to issue DELETE requests that shut down Serve or delete jobs without...

Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)

Summary Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable e.g., --dashboard-host=0.0.0.0, a web page via DNS rebinding or same-network access can issue DELETE requests...

CVE-2025-14168

The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanupall AJAX action. This makes it possible for unauthenticated attackers to delete database records including post...

CVE-2025-34434

CVE-2025-34434 affects AVideo versions prior to 20.1 with the ImageGallery plugin enabled. The vulnerability arises from image gallery endpoints that fail to enforce authentication and ownership checks, enabling unauthenticated actors to upload or delete images for any video. Red Hat and NVD entr...

CVE-2025-10186

The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the removerow function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete...

CVE-2025-7839 Restore Permanently delete Post or Page Data <= 1.0 - Cross-Site Request Forgery

The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rpdpodpaajaxdpdeletedata function. This makes it possible for unauthenticated...

LS ELECTRIC XBC-DN32U 访问控制错误漏洞

The LS ELECTRIC XBC-DN32U is a PLC programmable logic controller from LS ELECTRIC in Korea. An access control error vulnerability exists in the LS ELECTRIC XBC-DN32U version 01.80, which stems from a lack of authentication for the delete command and can be exploited by an attacker to delete...