CVE-2026-8611 Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoiceid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2026-32122

OpenEMR (Claim File Tracker UI/AJAX Endpoint) exposes billing claim metadata to authenticated users lacking proper billing permissions prior to version 8.0.0.1 due to missing authorization on the Claim File Tracker endpoint. This is fixed in 8.0.0.1. The vulnerability stems from ACLs not matching...

New Relic: Restricted user can view all account invoices, payment method details, PII of account owner through zoura_api endpoints

Around November of last year you switched to using Zoura https://www.zuora.com/ to handle your New Relic customer subscriptions. As a restricted user without administrative privileges, I am unable to view and data associated with the billing page https://rpm.newrelic.com/accounts/1523936/payments...