Lucene search
+L

605 matches found

NVD
NVD
added 2 days ago10 views

CVE-2026-48014

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, the order state transition features /api/action/order/orderId/state/transition and similar transaction and delivery transition routes in src/Core/Checkout/Order/Api/OrderActionController.php do not declare...

6.5CVSS0.00233EPSS
Exploits0References5
NVD
NVD
added 2 days ago7 views

CVE-2026-63307

Chat2DB before 5.3.0 contains an insecure direct object reference vulnerability in the GET /api/connection/datasource/id endpoint. The handler calls dataSourceService.queryExistentid, ... without an ownership check and returns the decrypted password field, allowing any authenticated non-admin use...

7.1CVSS0.00231EPSS
Exploits0References3
NVD
NVD
added 2 days ago6 views

CVE-2026-11966

The User Registration & Membership WordPress plugin before 5.2.3 does not perform a capability check for unauthenticated callers on one of its membership payment actions and acts on a caller-supplied user identifier, allowing unauthenticated attackers to delete recently-registered, payment-pendin...

5.3CVSS0.00182EPSS
Exploits0References1
NVD
NVD
added 4 days ago7 views

CVE-2026-53447

Wekan is open source kanban built with Meteor. Prior to 9.35, the Wekan cloneBoard Meteor method in models/import.js uses caller-supplied sourceBoardId to build a board export through models/exporter.js without invoking canExport or checking source-board membership. Any authenticated user who kno...

6.5CVSS0.00231EPSS
Exploits0References3
NVD
NVD
added 4 days ago7 views

CVE-2026-53445

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any authenticated user can copy a private board they are not a...

7.1CVSS0.00238EPSS
Exploits0References3
EUVD
EUVD
added 5 days ago9 views

EUVD-2026-43594

SAP Create Single Payment does not perform necessary authorization checks for an authenticated user, a restricted user could access specific entity set keys resulting in disclosure of information. This has low impact on confidentiality, with no impact on integrity and availability of the...

4.3CVSS6.1AI score0.00168EPSS
Exploits0References2
NVD
NVD
added 6 days ago6 views

CVE-2026-12396

The WP Job Portal WordPress plugin before 2.5.5 does not perform capability or ownership checks before allowing job moderation actions, allowing authenticated users with a subscriber-level self-registerable account to approve, feature, or reject arbitrary jobs, including those owned by other user...

5.4CVSS0.0017EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/11 1:1 p.m.8 views

EUVD-2026-43177

PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and...

7.3CVSS6.2AI score0.00246EPSS
Exploits0References2
NVD
NVD
added 2026/07/11 4:17 a.m.7 views

CVE-2026-13353

The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for installaddon,...

8.8CVSS0.00606EPSS
Exploits0References6
CVE
CVE
added 2026/07/10 9:9 p.m.9 views

CVE-2026-47422

CVE-2026-47422 affects the Frappe framework. An endpoint in reportview allowed unrestricted access to save_report due to missing permission checks prior to versions 15.107.5 and 16.18.2. The issue is fixed in those versions (15.107.5 and 16.18.2). The provided references include a GitHub advisory...

5.3CVSS6.1AI score0.00278EPSS
Exploits0References1
OSV
OSV
added 2026/07/10 9:9 p.m.2 views

CVE-2026-47422 Frappe: Unrestricted API access to save_report

Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2...

5.3CVSS6.1AI score0.00278EPSS
Exploits0References3
OSV
OSV
added 2026/07/10 6:24 p.m.3 views

CVE-2026-61460 Krayin CRM Insecure Direct Object Reference via Controllers

Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...

8.7CVSS6.1AI score0.0028EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/10 1:57 p.m.6 views

EUVD-2026-42890

Vikunja before 2.2.1 contains an authorization flaw where the LinkSharing.ReadAll endpoint exposes share hashes to users with read access, enabling permission escalation to admin-level shares. The GetTaskAttachment endpoint performs permission checks against user-supplied task IDs but fetches...

9.8CVSS6.1AI score0.00351EPSS
Exploits0References2
NVD
NVD
added 2026/07/08 9:16 p.m.8 views

CVE-2026-8472

GitLab has remediated an issue in GitLab EE affecting all versions from 18.9 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user with minimal access permissions to read work item metadata from private projects due to...

4.3CVSS0.00243EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.7 views

PT-2026-56621

Name of the Vulnerable Software and Affected Versions CAXperts UPVWebServices versions 2.4.2212.603 through 2.7.6 UDiTH Portal versions 2026.0.0 through 2026.2.0 Description An authenticated remote user can invoke an administrative API endpoint intended for privileged users. Due to missing...

8.1CVSS6.1AI score0.00276EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/06 8:12 a.m.34 views

CVE-2026-53913 Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

0.00619EPSS
Exploits0References1
OSV
OSV
added 2026/07/03 12:47 p.m.4 views

CVE-2026-59234 Authorization Bypass Through User-Controlled Key in Prospero Flow CRM calendar event deletion

Authorization Bypass Through User-Controlled Key CWE-639 in CalendarDeleteEventController app/Http/Controllers/Calendar/CalendarDeleteEventController.php, exposed at GET /calendar/event/delete/id, in Prospero Flow CRM before 5.5.3 allows a remote, authenticated attacker to delete arbitrary calend...

6.9CVSS6AI score0.00403EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/02 6:0 a.m.8 views

EUVD-2026-41254

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

2.7CVSS5.7AI score0.00189EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 7:16 p.m.9 views

CVE-2026-55628

In versions prior to 7.1.2-26he, the -concatenate operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26...

5.5CVSS0.00098EPSS
Exploits0References1
OSV
OSV
added 2026/07/01 7:16 p.m.3 views

DEBIAN-CVE-2026-55628

In versions prior to 7.1.2-26he, the -concatenate operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26...

5.5CVSS5.7AI score0.00098EPSS
Exploits0References1
Rows per page
Query Builder