CVE-2026-47365

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account...

EUVD-2026-36376

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account...

CVE-2026-47365

Argument injection vulnerability in WordPress Toolkit before 6.11.0 as used in cPanel & WHM, allows remote authenticated users to bypass cross-tenant authorization and execute arbitrary wp-toolkit CLI commands as another account...

PT-2026-38409

Name of the Vulnerable Software and Affected Versions Aegra versions 0.9.0 through 0.9.6 Description Shared instances with multiple authenticated users are susceptible to a cross-tenant Insecure Direct Object Reference IDOR. An authenticated attacker who obtains another user's thread id can execu...

GHSA-J72X-XFWG-783F ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace

Summary GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace tenant. Any authenticated user JWT or API Key who knows or can guess a device UID can read device metadata from any other namespac...

CVE-2026-32252

CVE-2026-32252 – Chartbrew : A cross-tenant authorization bypass exists in GET /team/:team_id/template/generate/:project_id prior to 4.9.0. The handler calls checkAccess(req, "updateAny", "chart") without awaiting the promise and does not verify the project_id belongs to the caller’s team. As a r...