CVE-2026-11533

The CVE-2026-11533 entry concerns imvks786 student_management_system (up to commit 9599b560ad3c3b83e75d328b76bedcd489ef1f46). A vulnerability in the file /see.php of the Student Deletion Endpoint allows manipulation of the del parameter to bypass authorization, with remote exploitation possible. ...

CVE-2026-11533 imvks786 student_management_system Student Deletion Endpoint see.php improper authorization

A security vulnerability has been detected in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the argument del leads to...

Sitejo HaPe PKH 安全漏洞

Sitejo HaPe PKH is a community poverty alleviation project management system developed by Sitejo Corporation. Version 1.1 of Sitejo HaPe PKH contains a security vulnerability. This vulnerability stems from the lack of authorization for the record deletion endpoint, which may allow unauthenticated...

CVE-2026-6566

CVE-2026-6566 affects WordPress plugin NextGEN Gallery (Photo Gallery, Sliders, Proofing and Themes) up to version 4.2.0. The vulnerability is an Insecure Direct Object Reference in the image deletion REST flow: DELETE /imagely/v1/images/{id} only enforces NextGEN Manage gallery permission and do...

Improper Access Control

github.com/free5gc/udr is vulnerable to Improper Access Control. The vulnerability is due to improper request handling in the Traffic Influence Subscription deletion endpoint, which allows an attacker to bypass validation and delete arbitrary subscriptions despite receiving a misleading 404...

CVE-2026-46365

This CVE affects phpMyFAQ prior to 4.1.2, where a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint allows any authenticated user (including regular frontend users) to delete arbitrary tags by sending a DELETE with a valid session cookie, causing permanent...

phpMyFAQ 安全漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.2 contained a security vulnerability. This vulnerability stemmed from the lack of authorization for the DELETE /admin/api/content/tags/tagId endpoint. As a result, any...

CVE-2026-31241

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

GHSA-GQ6F-QWV9-RF4J mem0 server lacks authentication and authorization controls for its memory deletion API endpoint

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

CVE-2026-31241

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

CVE-2026-42048

Langflow prior to 1.9.0 is vulnerable to path traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases) due to user-supplied kb_names being concatenated into file paths. The issue stems from building paths manually and passing them to deletion without proper normalization, enabling an...

CVE-2026-31241

The CVE-2026-31241 entry concerns the mem0 1.0.0 server, where the DELETE /memories endpoint fails to enforce authentication/authorization. This allows unauthenticated attackers to delete memory records by supplying arbitrary identifiers (e.g., user_id, run_id, agent_id) via query parameters, pot...

CVE-2026-31241

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

CVE-2026-4807

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the noncepermissionscheck method combined with the public exposure of a site-wide reusable nonce. The plugin expose...

CVE-2026-4807

CVE-2026-4807 affects the WordPress plugin “Appointment Booking Calendar” (publicly exposed at WordPress.org) up to version 1.6.10.6. The root cause is missing authorization caused by flawed logic in nonce_permissions_check() combined with a site-wide public nonce exposed via /wp-json/ssa/v1/embe...

PT-2026-33542

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint SelectDelete.php performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a...

PT-2026-33380

Summary The unaccess handler controller/unaccess.go contains a logical error in its ownership guard: when a frontend record has environment id = NULL the marker for admin-created global frontends, the condition short-circuits to false and allows the deletion to proceed without any ownership...

WWBN AVideo is missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

Summary objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check Origin/Referer. Because AVideo intentionally sets...

CVE-2026-34053

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint interface/forms/procedureorder/handledeletions.php allows any authenticated user, regardless of role, to...

CVE-2026-34053 OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint interface/forms/procedureorder/handledeletions.php allows any authenticated user, regardless of role, to...