600 matches found
CVE-2026-0282 PAN-OS: File Deletion Vulnerability in Management Web Interface
A file deletion vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to the management web interface to delete files from a temporary directory. The security risk posed by this issue is minimized by restricting access to the management web...
CVE-2026-28378 Cross-Organization Public Dashboard Deletion via Missing Org Isolation
The public dashboard deletion endpoint does not enforce organization isolation, allowing an Org Admin in one organization to delete public dashboards belonging to a different organization by supplying the target dashboard's identifiers...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the tracked-time deletion process. An attacker can remove time tracking entries associated with issues they do not have permission to modify by specifying the time entry ID from anothe...
CVE-2026-25782
Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue...
Improper Authorization
Apache DolphinScheduler is vulnerable to Improper Authorization. The vulnerability is due to incorrect authorization checks when deleting task definitions, where users with valid system login privileges can delete task definitions in projects they are not authorized to manage...
WordPress SearchPlus plugin <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion vulnerability
Missing Authorization to Unauthenticated Settings Modification and Deletion vulnerability discovered by Legion Hunter in WordPress Plugin SearchPlus versions = 1.7.1...
CVE-2026-35082 Local file inclusion vulnerability and deletion in ugw-logread method
The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input...
praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks
Summary Type: Insecure Direct Object Reference. The dependency endpoints POST/GET /workspaces/workspaceid/issues/issueid/dependencies and DELETE .../dependencies/depid gate access on requireworkspacememberworkspaceid only, then dispatch to DependencyService calls that take URL/body-supplied issue...
PT-2026-44996
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note private thread from any conversation, even after that user's access to the mailbox containing the conversation has been...
CVE-2026-9438
The CVE-2026-9438 entry concerns yashpokharna2555 StudentManagementSystem, specifically the courseDel.php component. The issue arises from manipulation of the ID argument, leading to improper control of resource identifiers. This is exploitable remotely and is demonstrated as a public PoC. Accord...
CVE-2021-47979
WordPress Plugin Backup and Restore 1.0.3 contains an arbitrary file deletion vulnerability that allows authenticated attackers to delete files by manipulating parameters in AJAX requests. Attackers can send POST requests to admin-ajax.php with crafted filename and foldername parameters to delete...
PT-2026-41465
Name of the Vulnerable Software and Affected Versions Backup and Restore version 1.0.3 Description Authenticated attackers can delete arbitrary files from the WordPress installation directory. This is achieved by sending POST requests to the 'admin-ajax.php' endpoint with manipulated file name an...
CVE-2026-3892
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107. This is due to insufficient file path validation in the become-dealer logo upload flow. The plugin allows any authenticated user to...
CVE-2026-0259
An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files. This vulnerability affects WF-500 and WF-500-B appliances running in the default non-FIPS configuration mode. The...
CVE-2026-31215
The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /indexname/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied pathorurl parameter...
OpenStack Cyborg 安全漏洞
OpenStack Cyborg is an open-source acceleration resource management and scheduling service component of OpenStack. Versions of OpenStack Cyborg prior to 16.0.1 contained security vulnerabilities. These vulnerabilities stemmed from the fact that the accelerator request API did not enforce project...
EUVD-2026-28156
Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cTrash.empty function does not validate anti-CSRF tokens for trash management requests. An attacker can induce a logged-in administrator to submit a forged request that empties the trash and permanent...
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
Summary The deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are passed directly to $forge-dropTable without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables from the theme's own migration...
WordPress plugin WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The WordPres...
CVE-2026-40874
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with /api/v1/delete/fwdhost. Any authenticated user can call this API. Checks are only applied for edit/add actions,...