EUVD-2026-37620

Unauthenticated Broken Access Control in User Registration Stripe = 1.3.12 versions...

EUVD-2026-37610

Subscriber Broken Access Control in WPBakery Page Builder = 8.7.2 versions...

EUVD-2026-37595

Unauthenticated Broken Access Control in User Registration Stripe = 1.3.14 versions...

EUVD-2026-37588

Author Broken Access Control in W3 Total Cache = 2.9.1 versions...

EUVD-2026-37592

Subscriber Broken Access Control in Bricks Builder = 2.1.4 versions...

EUVD-2026-37579

Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yoast SEO Premium: from n/a through 26.6...

EUVD-2026-37664

Subscriber Broken Access Control in MetForm Pro = 3.9.1 versions...

EUVD-2026-37665

Unauthenticated Broken Access Control in MetForm Pro = 3.9.1 versions...

EUVD-2026-37662

Unauthenticated Broken Access Control in WordPress Dating Theme = 11.2.0 versions...

EUVD-2026-37663

Subscriber Broken Access Control in WishList Member X = 3.29.0 versions...

CVE-2026-55197

Hermes WebUI before 0.51.443 has a broken access control weakness in the /api/session endpoint. Authenticated users can bypass profile boundaries and query session IDs from other profiles via GET /api/session?session_id=&messages=1 to retrieve unauthorized transcripts and metadata. This affects t...

CVE-2026-55196 Hermes WebUI < 0.51.409 - Unauthenticated Passkey Registration via Authentication Bypass

Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMESWEBUIPASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options an...

CVE-2026-55196

Hermes WebUI prior to version 0.51.409 contains an authentication bypass in passkey registration. When HERMES_WEBUI_PASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options and POST /api/auth/passkey/register are accessible without authentication, allowing an att...

Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode

RAG ACL Bypass in Milvus Multitenancy Mode Summary This is a bypass of the fix for: - GHSA-h36f-rqpx-j5wx - CVE-2026-44560 - "Unauthorized File and Knowledge Base Content Access via RAG Vector Search" Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus...

Improper Access Control

@astrojs/netlify is vulnerable to Improper Access Control. The vulnerability is due to overly permissive conversion of Astro image.remotePatterns into Netlify Image CDN regular expressions, which allows an attacker to bypass intended hostname and pathname restrictions and access unintended remote...

CVE-2026-12515

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the editproducts permission to query content information for repositories outside the products they were authorized to...

netty-codec-http: Netty: Data manipulation via request-boundary confusion in HttpObjectDecoder

A flaw was found in Netty. The HttpObjectDecoder component, which processes incoming HTTP requests, incorrectly skips certain control characters and whitespace before reading the first request line. This behavior, which goes beyond standard HTTP protocol requirements, can lead to request-boundary...

CVE-2026-54810

Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1...

CVE-2026-35066

Dell PowerFlex Manager, versions prior to 5.1.0.1, contains an Improper Access Control vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to denial of service...

CVE-2026-35067

Dell PowerFlex Manager, versions prior to 5.1.0.1, contains an Improper Access Control vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges and Unauthorized access...