CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD-2026-38135

GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization...

3.7CVSS5.8AI score

ATTACKERKB•added 3 days ago•6 views

CVE-2026-56355

GNU Savannah Administration Savane through 3.17 uses untrusted data as part of authorization...

3.7CVSS5.8AI score

Exploits0References7Affected Software1

CVE•added 3 days ago•11 views

CVE-2026-56355

CVE-2026-56355 affects GNU Savannah Administration Savane up to version 3.17. The connected documents describe an authorization issue caused by using untrusted data in the authorization path. No explicit exploit vectors, impact details, or remediation/fixes are provided in the documents. Technica...

3.7CVSS5.8AI score

EUVD-2026-38132

AVideo through 29.0 contains an authorization bypass vulnerability in the Meet plugin's uploadRecordedVideo.json.php endpoint that derives the target usersid from the uploaded filename without verification. An attacker with knowledge of the Meet shared secret can craft a malicious file upload wit...

9.2CVSS6AI score

CVE•added 3 days ago•11 views

CVE-2026-56345

AVideo 29.0 contains an authorization bypass via the Meet plugin's uploadRecordedVideo.json.php endpoint. The vulnerability derives the target users_id from the uploaded filename without verification, allowing a crafted file (e.g., filename like 1-anything.mp4) to trigger passwordless User->lo...

9.2CVSS6AI score

NVD•added 3 days ago•10 views

CVE-2026-56295

Capgo before 12.128.2 contains an authorization bypass vulnerability in webhook management endpoints that allows non-expiring API keys to bypass the requireapikeyexpiration organization policy. The checkWebhookPermission function fails to call apikeyHasOrgRightWithPolicy, enabling attackers with...

6.3CVSS

NVD•added 3 days ago•8 views

CVE-2026-56235

Cap-go capgo before 12.128.2 contains an authorization bypass in several Supabase PostgREST RPC functions getappmetrics, getglobalmetrics, gettotalmetrics that are granted to the anon role without enforcing org membership or permission checks. An unauthenticated attacker using only the public...

6.9CVSS

EUVD•added 3 days ago•6 views

EUVD-2026-38122

6.3CVSS5.9AI score

EUVD-2026-38117

6.9CVSS5.9AI score

NVD•added 3 days ago•8 views

CVE-2026-12119

The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and...

6.5CVSS

Cvelist•added 3 days ago•29 views

CVE-2026-12119 Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute

6.5CVSS

CVE•added 3 days ago•17 views

CVE-2026-12119

The CVE concerns the Simple File List WordPress plugin (≤6.3.7). A missing authorization check on the frontmanage shortcode attribute allows authenticated users with contributor-level access or higher to perform arbitrary file operations (delete, move, folder creation, download). The vulnerabilit...

6.5CVSS6AI score

Cvelist•added 3 days ago•27 views

CVE-2026-11912 Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action

The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is...

7.5CVSS

Exploits0References7

NVD•added 3 days ago•7 views

CVE-2026-56213

Capgo before 12.128.2 contains an authorization bypass vulnerability in the public.upsertversionmeta SECURITY DEFINER function exposed via PostgREST RPC, allowing unauthenticated attackers to insert arbitrary rows into versionmeta for any appid. Attackers can exploit this by calling the RPC...

6.9CVSS

EUVD•added 3 days ago•8 views

EUVD-2026-38093

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhookdeliveries endpoints to exfiltrate HMAC signing...

7.1CVSS5.9AI score

Exploits0References3

EUVD-2026-38099

6.9CVSS6AI score

Cvelist•added 4 days ago•14 views

CVE-2026-56079 Capgo - Cross-Tenant Authorization Bypass via PostgREST Webhook Access

7.1CVSS

CVE•added 4 days ago•13 views

CVE-2026-56079

Capgo before 12.128.2 contains a cross-tenant authorization bypass in PostgREST endpoints that lets org-scoped read API keys access other tenants’ webhook secrets and delivery logs. Attackers can query webhooks and webhook_deliveries to exfiltrate HMAC signing secrets and delivery payloads, enabl...

7.1CVSS5.9AI score

NVD•added 4 days ago•7 views

CVE-2026-50559

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons %3B to smuggle matrix parameters past the security layer,...

7.5CVSS

Exploits0References1

NVD•added 4 days ago•6 views

CVE-2026-48794

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. In versions 4.36.0 through 4.39.19, due to lack of canonicalization of domains in very specific edge cases, an access control rule may b...

2.3CVSS0.00043EPSS