PT-2026-45802

NamelessMC is website software for Minecraft servers. In version 2.2.4,core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. modules/Core/queries/reactions.php allows unauthenticated GET requests for...

CVE-2026-47715

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL. This is a project-boundary authorization issue: a...

WordPress plugin Easy PayPal Events & Tickets 信任管理问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-33460

Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...

CVE-2025-11895

The CVE-2025-11895 vulnerability affects Binary MLM Plan (WordPress) versions

Bold Workplanner Insecure Direct Object Reference Vulnerability (CNVD-2025-24044)

Bold Workplanner is an enterprise software for human resource management from the Spanish company Bold Workplanner. Bold Workplanner suffers from an insecure direct object reference vulnerability that can be exploited by an attacker to access plan counter details using an unauthorized internal...

EUVD-2024-38280

Malicious code in bioql PyPI...

EUVD-2023-54734

Malicious code in bioql PyPI...

EUVD-2025-31723

Malicious code in bioql PyPI...

EUVD-2022-4257

Malicious code in bioql PyPI...

CVE-2025-41093

Insecure Direct Object Reference IDOR vulnerability in BOLD Workplanner in versions prior to 2.5.25 4935b438f9b, consisting of a lack of adequate validation of user input, allowing an authenticated user to access to basic contract details using unauthorised internal identifiers...

CVE-2025-41094

Insecure Direct Object Reference IDOR vulnerability in BOLD Workplanner in versions prior to 2.5.25 4935b438f9b, consisting of a lack of adequate validation of user input, allowing an authenticated user to access to functional contract details using unauthorised internal identifiers...

CVE-2025-41095

Insecure Direct Object Reference IDOR vulnerability in BOLD Workplanner in versions prior to 2.5.25 4935b438f9b, consisting of a lack of adequate validation of user input, allowing an authenticated user to access to planning counter details using unauthorised internal identifiers...

Indico may disclose unauthorized user details access via legacy API

Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Patches You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update. Workarounds It ...

Unspecified Vulnerability in Mattermost Confluence Plugin (CNVD-2025-21455)

Mattermost Confluence Plugin is a plugin from Mattermost USA. Mattermost Confluence Plugin contains a security vulnerability that can be exploited by attackers to cause access to subscription details...

Dokploy 安全漏洞

Dokploy is an open source software from Dokploy Open Source. A security vulnerability exists in Dokploy versions prior to 0.23.7, which stems from a low-privileged account being able to retrieve other users' details, potentially leading to information disclosure...

CVE-2025-52920

Innoshop through 0.4.1 allows Insecure Direct Object Reference IDOR at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products...

CVE-2025-52920

Innoshop through 0.4.1 allows Insecure Direct Object Reference IDOR at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products...

CVE-2025-52920

Innoshop (v0.4.1 and earlier) is affected by an IDOR vulnerability in the frontend store. The issue allows disclosure of other customers’ PII and deletion of their product reviews by manipulating IDs in endpoints such as /en/account/orders/{ORDER_ID} and /en/account/reviews/{REVIEW_ID}, or by alt...

CVE-2023-2275

The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'getitem', 'getordernotes' and 'addordernote' functions in versions up to, and including, 1.5.3. This makes it possibl...