Lucene search
K

219900 matches found

EUVD
EUVD
added 2026/06/17 2:21 p.m.8 views

EUVD-2026-37725

Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1...

7.5CVSS5.3AI score0.00243EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 2:17 p.m.9 views

CVE-2026-54814

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109...

8.1CVSS0.00337EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 2:17 p.m.8 views

CVE-2025-69189

Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3...

7.3CVSS0.00178EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/17 2:16 p.m.11 views

Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion

Summary Open WebUI's prompt version-history endpoints authorize the promptid in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt historyentry.promptid == prompt.id. Three operations are affected: - GET...

6.4CVSS5.6AI score0.00169EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/17 2:15 p.m.18 views

Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion

Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...

7.1CVSS5.6AI score0.00198EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/17 2:9 p.m.10 views

Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar

Summary POST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally. A regula...

4.3CVSS5.4AI score0.00179EPSS
Exploits1References2Affected Software1
Patchstack
Patchstack
added 2026/06/17 2:7 p.m.6 views

WordPress Five Star Restaurant Reservations plugin <= 2.7.19 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Vincent Sevkli in WordPress Plugin Five Star Restaurant Reservations versions = 2.7.19...

7.5CVSS5.8AI score0.00238EPSS
Exploits0Affected Software1
CVE
CVE
added 2026/06/17 2:4 p.m.13 views

CVE-2026-54415

CVE-2026-54415 is a broken access control issue in Azuriom CMS before 1.2.11. An authenticated user with the admin.access permission can abuse server-management routes to create AzLink server tokens and take over non-admin user accounts by changing passwords and emails. The vulnerability exists i...

8.6CVSS5.3AI score0.00348EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/17 2:4 p.m.19 views

CVE-2026-11311 NGINX Gateway Fabric vulnerability

When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens field and the...

8.6CVSS0.0059EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/17 1:59 p.m.8 views

WordPress Motors plugin <= 1.4.109 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by HaiND in WordPress Plugin Motors versions = 1.4.109...

7.5CVSS5.8AI score0.00238EPSS
Exploits0Affected Software1
Cvelist
Cvelist
added 2026/06/17 1:49 p.m.16 views

CVE-2025-69189 WordPress JobBank plugin <= 1.2.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3...

7.3CVSS0.00178EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/17 1:49 p.m.9 views

EUVD-2025-210248

Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3...

7.3CVSS5.2AI score0.00178EPSS
Exploits0References1
F5 Networks
F5 Networks
added 2026/06/17 1:43 p.m.11 views

K000161611: NGINX Gateway Fabric vulnerability CVE-2026-11311

Security Advisory Description When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied string values from the NginxProxy Custom Resource Definition serverTokens...

8.6CVSS5.5AI score0.0059EPSS
Exploits0Affected Software1
EUVD
EUVD
added 2026/06/17 1:41 p.m.10 views

EUVD-2026-37709

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109...

8.1CVSS5.3AI score0.00337EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 1:20 p.m.7 views

CVE-2026-49072

Unauthenticated Broken Access Control in WooCommerce Anti-Fraud = 7.2.6 versions...

6.5CVSS0.00309EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 1:20 p.m.9 views

CVE-2026-49057

Unauthenticated Broken Access Control in JobSearch = 3.2.7 versions...

7.5CVSS0.00296EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 1:20 p.m.7 views

CVE-2026-48797

Backpropagate is a Python library for fine-tuning large language models on a single GPU. In versions 1.1.0 and 1.1.1, the optional Reflex web UI exposes a training control plane without authentication: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and...

9.3CVSS0.00324EPSS
Exploits0References2
NVD
NVD
added 2026/06/17 1:20 p.m.7 views

CVE-2026-48616

Rocket.Chat versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rcroomtype=l with rcrid+rctoken, but the authorization path does not verify...

9.3CVSS0.00304EPSS
Exploits0References2
NVD
NVD
added 2026/06/17 1:20 p.m.10 views

CVE-2026-45436

Subscriber Broken Access Control in WPBakery Page Builder = 8.7.2 versions...

6.5CVSS0.00304EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 1:20 p.m.8 views

CVE-2026-40726

Unauthenticated Broken Access Control in User Registration Stripe = 1.3.14 versions...

8.2CVSS0.00244EPSS
Exploits0References1
Rows per page
Query Builder