Lucene search
+L

244 matches found

NVD
NVD
added 2026/02/26 3:16 a.m.10 views

CVE-2026-25963

Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports...

6.5CVSS0.00191EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/11 1:33 a.m.12 views

CVE-2026-25876

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization ownership checks. For example, this can be used to return all results for an assessment...

9.1CVSS5.5AI score0.00246EPSS
Exploits0References1
NVD
NVD
added 2026/02/10 4:16 a.m.8 views

CVE-2026-0486

In ABAP based SAP systems a remote enabled function module does not perform necessary authorization checks for an authenticated user resulting in disclosure of system information.This has low impact on confidentiality. Integrity and availability are not impacted...

5CVSS0.00168EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/05 12:0 a.m.18 views

PT-2026-6726

Name of the Vulnerable Software and Affected Versions Spree versions prior to 5.0.8 Spree versions prior to 5.1.10 Spree versions prior to 5.2.7 Spree versions prior to 5.3.2 Description Spree, an open source e-commerce solution, contains a flaw where unauthenticated users can view completed gues...

8.7CVSS5.5AI score0.00441EPSS
Exploits1References15
RedhatCVE
RedhatCVE
added 2026/01/26 9:8 p.m.8 views

CVE-2026-20888

Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. Mitigation Mitigation for this issue is either not available or the currently available...

4.3CVSS5.8AI score0.00303EPSS
Exploits0References8
CVE
CVE
added 2026/01/22 10:1 p.m.19 views

CVE-2026-20888

Summary: CVE-2026-20888 affects Gitea’s web interface for scheduled auto-merges. The root cause is improper authorization verification when canceling scheduled auto-merges via the web UI. What is affected: Gitea, specifically the ability to cancel auto-merges scheduled by other users, even when a...

4.3CVSS5.4AI score0.00303EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/01/15 5:16 p.m.8 views

CVE-2026-23494

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the application fails to enforce proper server-side authorization checks on the API endpoint responsible for reading or listing static routes. In Pimcore, static routes are custom URL patterns defined vi...

6.5CVSS0.00319EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/01/13 10:53 p.m.5 views

CVE-2025-13753

The WP Table Builder – Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the savetable function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with...

4.3CVSS5.7AI score0.00242EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 10:44 a.m.25 views

CVE-2022-0363

The myCred WordPress plugin before 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts...

4.3CVSS6.8AI score0.00339EPSS
Exploits1References1
OSV
OSV
added 2026/01/08 9:27 p.m.5 views

GHSA-G268-72P7-9J6J Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification

Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...

6.5CVSS6.6AI score0.00371EPSS
Exploits1References8
CNNVD
CNNVD
added 2026/01/06 12:0 a.m.5 views

WordPress plugin Creator LMS 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

5.3CVSS6.4AI score0.0023EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/01/06 12:0 a.m.5 views

WordPress plugin RSS Feed Widget 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

5.4CVSS6.6AI score0.0017EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/05 4:44 p.m.28 views

CVE-2025-46255 WordPress LoginWP - Pro Plugin <= 4.0.8.5 - Settings Change vulnerability

Missing Authorization vulnerability in Marketing Fire LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5...

7.5CVSS0.002EPSS
Exploits0References1
OSV
OSV
added 2025/12/28 7:2 a.m.5 views

CVE-2025-15125 JeecgBoot queryDepartPermission improper authorization

A security flaw has been discovered in JeecgBoot up to 3.9.0. Affected is the function queryDepartPermission of the file /sys/permission/queryDepartPermission. The manipulation of the argument departId results in improper authorization. The attack can be launched remotely. This attack is...

2.3CVSS5.2AI score0.0027EPSS
Exploits1References6
NVD
NVD
added 2025/11/26 6:15 a.m.11 views

CVE-2025-12061

The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements...

8.6CVSS0.00158EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/11/26 12:0 a.m.6 views

WordPress plugin TAX SERVICE Electronic HDM 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress plugin is an application plugin. A lack of authorization vulnerability exists in WordPress TAX SERVICE Electronic HDM, which stems from a lack of authorization and CSRF checks in AJAX operations. An attacker...

8.6CVSS6.5AI score0.00158EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2025/11/26 12:0 a.m.10 views

PT-2025-48130

Name of the Vulnerable Software and Affected Versions TAX SERVICE Electronic HDM WordPress plugin versions prior to 1.2.1 Description The TAX SERVICE Electronic HDM WordPress plugin does not perform authorization and Cross-Site Request Forgery CSRF checks in an AJAX action. This allows...

8.6CVSS7.3AI score0.00158EPSS
Exploits0References7
EUVD
EUVD
added 2025/11/25 9:32 p.m.8 views

EUVD-2025-199636

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...

5.3CVSS6AI score0.00206EPSS
Exploits0References3
NVD
NVD
added 2025/11/25 7:15 p.m.25 views

CVE-2025-64065

The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...

8.8CVSS0.00261EPSS
Exploits0References2
NVD
NVD
added 2025/11/25 7:15 p.m.7 views

CVE-2025-64067

Primakon Pi Portal 1.0.18 API endpoints responsible for retrieving object-specific or filtered data e.g., user profiles, project records fail to implement sufficient server-side validation to confirm that the requesting user is authorized to access the requested object or dataset. This...

5.3CVSS0.00206EPSS
Exploits0References2
Rows per page
Query Builder