CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 4 days ago•10 views

CVE-2026-9172

WordPress plugin Devs Accounting – Simple Accounting and Invoicing Solution (versions up to 1.2.0) is vulnerable to unauthorized modification/deletion of data due to a missing capability check in delete_single_account(), with the REST route devs-accounting/v1/delete-account/(?P\d+) registered wit...

5.3CVSS6AI score0.00227EPSS

Exploits0References3

Patchstack•added 5 days ago•5 views

WordPress Advanced Contact Form 7 – Compact DB plugin <= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion vulnerability discovered by Eason - The University of Sydney in WordPress Plugin Advanced Contact Form 7 – Compact DB versions = 1.0.0...

5.3CVSS5.9AI score0.00295EPSS

Exploits0References1Affected Software1

Cvelist•added 6 days ago•26 views

CVE-2026-56423 MISP Core: Broken access control allows instance-wide unauthorized deletion of event reports and sharing groups via bulk deletion endpoints

MISP Core contained broken access-control checks in the bulk deletion flows for Event Reports and Sharing Groups. The affected deleteSelection handlers authorized deletion using broad role-level permissions instead of validating authorization for each selected object. For Event Reports,...

9.4CVSS0.00261EPSS

NVD•added 2026/06/16 6:16 a.m.•12 views

CVE-2026-9187

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the actionremoveabandoned function, which is registered to both the...

5.3CVSS0.00228EPSS

Exploits0References4

Positive Technologies•added 2026/06/15 12:0 a.m.•6 views

PT-2026-49413

Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi Save Entries, File Upload & Country Code Field = 1.0.6 versions...

8.6CVSS5.3AI score0.00442EPSS

Github Security Blog•added 2026/06/12 9:0 p.m.•11 views

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

Summary A low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose...

7.2CVSS5.5AI score0.00411EPSS

Exploits0References4Affected Software2

RedhatCVE•added 2026/06/05 7:37 p.m.•11 views

CVE-2026-3595

The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/deletecustomer without a permissioncallback, causing...

5.3CVSS5.5AI score0.00441EPSS

RedhatCVE•added 2026/06/05 7:28 p.m.•11 views

CVE-2026-4128

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The deleteterm function, which handles the 'tpmcatttdeleteterm' AJAX action, does not perform any capability check e.g., currentusercan to verify the...

4.3CVSS5.6AI score0.00245EPSS

RedhatCVE•added 2026/06/05 7:10 p.m.•9 views

CVE-2026-35555

PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups...

7CVSS5.4AI score0.00154EPSS

Positive Technologies•added 2026/06/02 12:0 a.m.•13 views

PT-2026-45789

Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations...

5.8AI score0.00138EPSS

OSV•added 2026/06/01 11:42 a.m.•6 views

BIT-KIBANA-2026-33462 Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana...

OSV•added 2026/06/01 11:39 a.m.•7 views

BIT-ELK-2026-33462 Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts

RedhatCVE•added 2026/05/29 8:13 p.m.•10 views

CVE-2026-33462

Snyk•added 2026/05/28 10:45 p.m.•5 views

Directory Traversal

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Directory Traversal via the dashboard management functionality. An attacker can cause unauthorized deletion of user accounts or...

7.3CVSS6.1AI score0.00223EPSS

Vulnrichment•added 2026/05/28 7:33 p.m.•9 views

CVE-2026-33462 Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts

4.6CVSS5.8AI score0.00223EPSS

CVE•added 2026/05/28 7:33 p.m.•42 views

CVE-2026-33462

CVE-2026-33462 : Path traversal in Kibana dashboard management allows an authenticated, low-privileged user to craft a dashboard ID that, when deleted by an admin, can be redirected to an unintended endpoint, potentially enabling unauthorized deletion of user accounts or other resources. Affected...