PT-2026-41181

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.9 Description When a non-administrative user logs into the application, a web request to the '/api/models?' endpoint is initiated. The response from this request reveals the system prompts of available models...

CVE-2026-42810

CVE-2026-42810 affects Apache Polaris. The issue arises because Polaris accepts literal ‘’ characters in namespace and table names, and these unescaped characters are reused in temporary S3 access policies for delegated table access. In S3 IAM policy matching, ‘ ’ is treated as a wildcard, allowi...

CVE-2026-42515 Insecure Direct Object Reference (IDOR) Vulnerability in e-Sushrut HMIS

This vulnerability exists in e-Sushrut due to improper access control in resource access validation. An authenticated attacker could exploit this vulnerability by manipulating parameter in the API request URL to gain unauthorized access to sensitive information of patients on the targeted system...

PT-2026-34750

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user...

CVE-2026-5749 Inadequate access control vulnerability in Fullstep

Inadequate access control in the registration process in Fullstep V5, which could allow unauthenticated users to obtain a valid JWT token with which to interact with authenticated API resources. Successful exploitation of this vulnerability could allow an unauthenticated attacker to compromise th...

EUVD-2026-20330

Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through = 2.4.1...

CVE-2026-35605

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.1, the Matches function in rules/rules.go uses strings.HasPrefix without a trailing directory separator when matching paths against access rules. ...

CVE-2026-34051 OpenEMR has Improper ACL On Import/Export Popup

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulati...

CVE-2026-32533

CVE-2026-32533 (WordPress LatePoint plugin 5.2.6 are implied), or apply vendor-provided mitigation if available in connected sources. If exploitation details are not documented, note that no exploitation details are provided in the supplied documents.

CVE-2026-32486 WordPress Travel Booking theme <= 1.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through = 1.3.9...

CVE-2026-23799

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.5...

CVE-2026-28135 WordPress Royal Elementor Addons plugin <= 1.7.1052 - Other vulnerability Type vulnerability

Inclusion of Functionality from Untrusted Control Sphere vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Royal Elementor Addons: from n/a through = 1.7.1052...

PT-2026-23260

Missing Authorization vulnerability in designthemes DesignThemes Directory Addon designthemes-directory-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Directory Addon: from n/a through = 1.8...

PT-2026-23258

Name of the Vulnerable Software and Affected Versions BoldGrid W3 Total Cache versions through 2.9.1 Description The software contains an improper validation of specified quantity in input, potentially allowing access to functionality not properly constrained by access control lists ACLs...

PT-2026-22999

Name of the Vulnerable Software and Affected Versions OliveTin versions prior to 3000.11.0 Description OliveTin allows an unauthenticated guest to terminate running actions through the KillAction Remote Procedure Call RPC even when authRequireGuestsToLogin: true is enabled. Guests are blocked fro...

CVE-2026-1241

Pelco Sarix Professional 3 Series IP Cameras expose an authentication bypass via their web management interface. The CVE notes insufficient enforcement of access controls, enabling some functionality to be accessed without authentication and potentially allowing unauthorized viewing of live video...

CVE-2026-1241 Authentication Bypass Using an Alternate Path or Channel in Pelco, Inc. Sarix Pro 3 Series IP Cameras

The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lea...

WordPress plugin Directorist 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

PT-2026-21034

Name of the Vulnerable Software and Affected Versions staviravn AIO WP Builder versions through 2.0.2 Description An authorization issue exists in staviravn AIO WP Builder all-in-one-wp-builder, allowing exploitation of incorrectly configured access control security levels. Recommendations Update...

CVE-2026-25409 WordPress JAMstack Deployments plugin <= 1.1.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in crgeary JAMstack Deployments wp-jamstack-deployments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JAMstack Deployments: from n/a through = 1.1.1...