273 matches found
CVE-2026-56313
Capgo before 12.128.2 contains a cross-organization account disruption vulnerability in the SSO prelink endpoint that allows enterprise administrators to delete password identities of users in foreign organizations. Attackers with org.updatesettings permission and an active SSO provider can call...
CVE-2026-34050 Coolify Settings/Updates Livewire component missing instance administrator authorization
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially...
CVE-2026-34050
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially...
CVE-2026-34050
CVE-2026-34050 affects Coolify, specifically the Settings/Updates Livewire component. The root cause is a missing isInstanceAdmin check in the component's mount method, allowing non-admin users to access the Updates settings page and potentially modify auto-update settings or trigger update check...
CVE-2026-34050 Coolify Settings/Updates Livewire component missing instance administrator authorization
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Settings/Updates Livewire component does not check isInstanceAdmin in its mount method, allowing non-admin users to access the Updates settings page and potentially...
CVE-2026-14691
A security vulnerability has been detected in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This impacts the function updatesettingsinfo of the file classes/SystemSettings.php of the component Setting Handler. Such manipulation of the argument content leads to code injection...
EUVD-2026-41714
A security vulnerability has been detected in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This impacts the function updatesettingsinfo of the file classes/SystemSettings.php of the component Setting Handler. Such manipulation of the argument content leads to code injection...
CVE-2026-14691
A security vulnerability has been detected in SourceCodester Multi-Vendor Online Grocery Management System 1.0. This impacts the function updatesettingsinfo of the file classes/SystemSettings.php of the component Setting Handler. Such manipulation of the argument content leads to code injection...
CVE-2026-14691
CVE-2026-14691 affects SourceCodester Multi-Vendor Online Grocery Management System 1.0. The vulnerability resides in the function update_settings_info of the file classes/SystemSettings.php (Setting Handler). Manipulating the argument content[] enables code injection. The attack is described as ...
PT-2026-51704
Name of the Vulnerable Software and Affected Versions MotorDesk versions prior to 1.1.3 Description The MotorDesk plugin for WordPress contains a Cross-Site Request Forgery CSRF flaw, which occurs when a web application allows an attacker to induce a user to perform actions they do not intend to...
CVE-2026-8499
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowdvalidatetoken function using a loose comparison operator != instead of a strict comparison !== when validating...
CVE-2026-8910
The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web...
CVE-2026-8499 Helpfulcrowd Product Reviews <= 1.2.9 - Inccorect Authorization via Type Juggling in 'token' Parameter to Arbitrary Settings Update
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowdvalidatetoken function using a loose comparison operator != instead of a strict comparison !== when validating...
EUVD-2026-35302
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowdvalidatetoken function using a loose comparison operator != instead of a strict comparison !== when validating...
CVE-2026-8499
The CVE concerns the WordPress Helpfulcrowd Product Reviews plugin (vulnerable up to 1.2.9). Root cause: a PHP type-juggling flaw in helpfulcrowd_validate_token() uses a loose != comparison, paired with a REST route (wp-json/helpfulcrowd/v1/update-settings) that has a permissive permission_callba...
CVE-2026-8499 Helpfulcrowd Product Reviews <= 1.2.9 - Inccorect Authorization via Type Juggling in 'token' Parameter to Arbitrary Settings Update
The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowdvalidatetoken function using a loose comparison operator != instead of a strict comparison !== when validating...
PT-2026-47672
Name of the Vulnerable Software and Affected Versions Helpfulcrowd Product Reviews versions prior to 1.3.0 Description The Helpfulcrowd Product Reviews plugin for WordPress allows unauthenticated authorization bypass due to PHP Type Juggling. This occurs because the helpfulcrowd validate token...
CVE-2026-37598
SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution RCE via /scheduler/classes/SystemSettings.php?f=updatesettings...
CVE-2026-7614
The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPHoptions function. This makes it possible for unauthenticated attackers to update the plugin's...
CVE-2026-34216
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowli...