2 matches found
CVE-2026-12428
The CVE concerns the WordPress plugin Blocks for ACF Fields (versions up to 1.6.2). A missing capability check on the REST endpoint /wp-json/acf-field-blocks/v1/values (get_all_values) allows unauthorized access to ACF field data. The permission_callback only verifies publish_posts, and the handl...
CVE-2026-27839
CVE-2026-27839 affects wger up to version 2.4, where three nutritional_values endpoints fetch objects via Model.objects.get(pk=pk) instead of using a user-scoped queryset. This allows any authenticated user to read another user’s private nutrition data (caloric intake and full macro breakdown) by...