CVE-2026-58448

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

AntD Admin - Sensitive Information Disclosure

AntD Admin has a security vulnerability that stems from Antd-admin 5.5.0 being affected by an incorrect access control vulnerability. Attackers can exploit this vulnerability to gain unauthorized access to some front-end interfaces, resulting in the leakage of sensitive information such as user...

CVE-2026-56781

Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from shar...

CVE-2026-57946

CVE-2026-57946 affects Invidious prior to version 2.20260626.0. A broken access control allows unauthenticated attackers to fetch private playlist contents by requesting the RSS feed playlist endpoint with a playlist ID, exposing the full playlist, owner email address, and associated video entrie...

CVE-2026-57945

Summary of CVE-2026-57945 (PhotoPrism) : A broken access control flaw in PhotoPrism prior to 260601-a7d098548 allows authenticated non-admin users to modify other users’ profile information by exploiting the PUT /api/v1/users/{uid} endpoint. The root cause is missing validation that ties the sess...

EUVD-2026-40161

LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate sharedto relations without prop...

CVE-2026-13544 Feehi CMS API users access control

A flaw has been found in Feehi CMS up to 2.1.1. Affected by this issue is some unknown functionality of the file /api/users of the component API. This manipulation causes improper access controls. The attack can be initiated remotely. The exploit has been published and may be used. The project wa...

EUVD-2026-39657

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags...

EUVD-2026-39769

Affiliate Broken Access Control in Affiliates Manager = 2.9.49 versions...

CVE-2026-57925

JetBrains YouTrack before 2026.2.16593 has an improper access control vulnerability (CVE-2026-57925) that enables reading saved queries and tags. The root cause is access control weakness; attacker with network access and low privileges (CVSSv3.1: AV:N/AC:L/PR:L/UI:N/S:U) can access sensitive dat...

EUVD-2026-39623

An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges...

CVE-2026-8797

An access control deficiency vulnerability exists in ExpressUpdate Agent for Windows. If a malicious user gains access to the product, arbitrary code could be executed with SYSTEM privileges...

CVE-2026-57521

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers...

EUVD-2026-39525

NewsBlur before 14.5.0 contains a broken access control vulnerability that allows authenticated users to read private notification feeds by supplying arbitrary userid values to the GET /social/interactions endpoint without ownership verification. Attackers can enumerate userid values to access...

CVE-2026-56050

CVE-2026-56050 affects the WordPress PPOM for WooCommerce plugin (Themeisle) up to version 33.0.18. The issue is described as an Improper Access Control vulnerability, arising from incorrectly configured access control security levels within the PPOM for WooCommerce feature set. The available doc...

CVE-2026-54830

Affected software: WordPress Five Star Restaurant Reservations plugin, versions

CVE-2026-57304

CVE-2026-57304 affects the Jenkins Assembla Plugin (versions ≤ 1.4). The root cause is a missing permission check, allowing attackers who have Overall/Read permission to instruct the plugin to connect to an attacker-specified URL using attacker-specified credentials. The description in connected ...

CVE-2026-34912

A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting i...

CVE-2026-54021 Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied urlidx path parameter and use it as a raw index into the admin-configured OLLAMABASEURLS list. Access...

ROS-20260622-73-0008

The vulnerability of the WebRender component in Mozilla Firefox, Firefox ESR, and the email client Thunderbird is related to deficiencies in access control. Exploiting this vulnerability can allow an attacker to enhance their privileges remotely...