12459 matches found
Hitachi Pentaho Business Analytics Server - Bypass Authorization
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented. id: CVE-2022-43939 info: name: Hitachi Pentaho Business Analytics Server - Bypass Authorization author: daffainf...
FatPipe WARP/IPVPN/MPVPN - Authorization Bypass
FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p91 and 10.2.2r42 contain a missing authorization caused by lack of access control in the web management interface, letting remote attackers access sensitive URLs, exploit requires no authentication. id: CVE-2021-27858 info: name:...
Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admininit function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the...
Hospital Management System 1.0 - SQL Injection
Hospital Management System 1.0 contains a SQL injection vulnerability via the editid parameter in /HMS/user-login.php. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...
Powertek Firmware <3.30.30 - Authorization Bypass
Powertek firmware multiple brands before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface /cgi/getparam.cgi with the tmpToken cookie set to an...
Site Offline WP Plugin < 1.5.3 - Authorization Bypass
The plugin prevents users from accessing a website but does not do so if the URL contained certain keywords. Adding those keywords to the URL's query string would bypass the plugin's main feature. id: CVE-2022-1580 info: name: Site Offline WP Plugin 1.5.3 - Authorization Bypass author: s4e-io...
Lin CMS Spring Boot - Default JWT Token
An access control issue in Lin CMS Spring Boot v0.2.1 allows attackers to access the backend information and functions within the application. id: CVE-2022-32430 info: name: Lin CMS Spring Boot - Default JWT Token author: DhiyaneshDK severity: high description: | An access control issue in Lin CM...
WordPress MapPress Maps <= 2.96.6 - Unauthenticated IDOR
MapPress Maps for WordPress = 2.96.6 contains an authorization bypass caused by missing ownership verification in REST API routes, letting unauthenticated attackers read any map data and authenticated contributors modify any map, exploit requires crafted API requests id: CVE-2026-8839 info: name:...
Casdoor - Authorization Bypass
Casdoor up to 1.811.0 contains an authorization bypass caused by manipulation in HandleScim function in controllers/scim.go, letting remote attackers bypass authorization, exploit requires remote access. id: CVE-2025-4210 info: name: Casdoor - Authorization Bypass author: theamanrawat severity:...
Kaswara Modern VC Addons <= 3.0.1 - Missing Authorization
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions...
Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...
CVE-2026-15622
A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...
CVE-2026-15622 poco-ai poco-claw Workspace API workspace.py get_workspace_file authorization
A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...
CVE-2026-15622
The CVE-2026-15622 entry concerns poco-ai poco-claw Workspace API. Affects the function get_workspace_file in executor_manager/app/api/v1/workspace.py; manipulating the user_id parameter can bypass authorization. Impact is an authorization bypass that can be triggered remotely, with a proof-of-co...
EUVD-2026-43599
A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...
Security Bulletin: IBM WebSphere Application Server Liberty is affected by an authorization bypass vulnerability (CVE-2026-11714)
Summary IBM WebSphere Application Server Liberty is affected by an authorization bypass vulnerability with the apiDiscovery-1.0 feature enabled. Vulnerability Details CVEID:CVE-2026-11714 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-sid...
EUVD-2026-43538
OpenClaw versions 2026.5.28 before 2026.6.6 contain an authorization bypass vulnerability in native web search that allows lower-trust callers to perform actions requiring stronger policy checks. Attackers can exploit misconfigured input paths to bypass intended authorization controls and execute...
EUVD-2026-43539
OpenClaw versions before 2026.6.6 contain a flaw in host exec environment filtering that can miss interpreter startup variables. When the affected feature is enabled and reachable, a lower-trust caller or configured input path can supply crafted environment variables to execute or persist actions...
EUVD-2026-43535
OpenClaw versions 2026.5.20 before 2026.6.6 contain an authorization bypass vulnerability in the MCP loopback feature that allows lower-trust callers to execute owner-only tools. Attackers can bypass authorization checks through configured input paths to execute or persist actions beyond their...
EUVD-2026-43536
OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists. Attackers with lower-trust access can perform actions requiring stronger authorization by leveraging group ID validation in the affected featu...