Lucene search
K

24 matches found

Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-57994 phpMyFAQ - Information Disclosure of Inactive FAQ Content via Public API Endpoints

phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive draft or review-only FAQ content. Specifically, GET /api/v3.1/faq/categoryId/faqId returns the inactive FAQ title and...

6.9CVSS0.00214EPSS
Exploits0References2
NVD
NVD
added 6 days ago7 views

CVE-2026-54004

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media URLs without checking page access permissions or preview...

6.3CVSS0.00312EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-54004

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media URLs without checking page access permissions or preview...

6.3CVSS5.9AI score0.00312EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/03/16 3:30 p.m.5 views

EUVD-2026-12184

The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7...

5.3CVSS5.8AI score0.00262EPSS
Exploits0References3
OSV
OSV
added 2026/03/10 6:22 p.m.4 views

GHSA-VG3J-HPM9-8V5V Craft CMS has a potential information disclosure vulnerability in preview tokens

Summary Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview...

2.3CVSS5.8AI score0.00174EPSS
Exploits0References4
Veracode
Veracode
added 2026/02/05 8:54 a.m.6 views

Broken Object Level Authorization (BOLA)

studiocms is vulnerable to a Broken Object Level Authorization BOLA vulnerability. The vulnerability is due to missing authorization checks in the Content Management feature, which allows a user with the “Visitor” role to access draft content created by Editor, Admin, or Owner users...

6.5CVSS5.5AI score0.00295EPSS
Exploits2References4Affected Software1
CNVD
CNVD
added 2026/02/03 12:0 a.m.5 views

StudioCMS Information Disclosure Vulnerability (CNVD-2026-18155)

StudioCMS is StudioCMS open source a content management system . StudioCMS suffers from an information disclosure vulnerability that stems from the presence of corrupted object-level authorization in the content management functionality, which can be exploited by an attacker to cause a user with...

6.5CVSS5.3AI score0.00295EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2026/01/29 3:26 a.m.11 views

CVE-2026-24134

StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization BOLA vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by...

6.5CVSS5.9AI score0.00295EPSS
Exploits2References1
NVD
NVD
added 2026/01/28 12:15 a.m.13 views

CVE-2026-24134

StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization BOLA vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by...

6.5CVSS0.00295EPSS
Exploits2References3
CNNVD
CNNVD
added 2026/01/28 12:0 a.m.7 views

StudioCMS 安全漏洞

StudioCMS is StudioCMS open source a content management system . StudioCMS suffers from an information disclosure vulnerability that stems from the presence of corrupted object-level authorization in the content management functionality, which can be exploited by an attacker to cause a user with...

6.5CVSS5.8AI score0.00295EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/01/27 11:34 p.m.35 views

CVE-2026-24134 StudioCMS has an Authorization Bypass Through User-Controlled Key

StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization BOLA vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by...

6.5CVSS0.00295EPSS
Exploits2References3
OSV
OSV
added 2026/01/27 11:34 p.m.7 views

CVE-2026-24134 StudioCMS has an Authorization Bypass Through User-Controlled Key

StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization BOLA vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by...

6.5CVSS5.9AI score0.00295EPSS
Exploits2References5
CVE
CVE
added 2026/01/27 11:34 p.m.21 views

CVE-2026-24134

StudioCMS prior to v0.2.0 is affected by a Broken Object Level Authorization (BOLA) in the Content Management feature. The vulnerability allows users with the Visitor role to access draft content created by Editors/Admins/Owners, effectively bypassing RBAC for unpublished content. The issue is mi...

6.5CVSS5.9AI score0.00295EPSS
Exploits2References3Affected Software1
Snyk
Snyk
added 2026/01/27 10:13 p.m.3 views

Missing Authorization

Overview studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Missing Authorization via the edit endpoint in the content management feature. An attacker can gain unauthorized access to draft conte...

6.5CVSS5.9AI score0.00295EPSS
Exploits2References3
OSV
OSV
added 2026/01/27 10:13 p.m.4 views

GHSA-8CW6-53M5-4932 StudioCMS has Authorization Bypass Through User-Controlled Key

Summary StudioCMS contains a Broken Object Level Authorization BOLA vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Details The Issue: The endpoint /dashboard/content-management/edit?edit=UUID...

6.5CVSS5.9AI score0.00295EPSS
Exploits2References5
Github Security Blog
Github Security Blog
added 2026/01/27 10:13 p.m.12 views

StudioCMS has Authorization Bypass Through User-Controlled Key

Summary StudioCMS contains a Broken Object Level Authorization BOLA vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Details The Issue: The endpoint /dashboard/content-management/edit?edit=UUID...

6.5CVSS5.9AI score0.00295EPSS
Exploits2References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/27 12:0 a.m.7 views

PT-2026-5037

Name of the Vulnerable Software and Affected Versions StudioCMS versions prior to 0.2.0 Description StudioCMS contains a Broken Object Level Authorization BOLA vulnerability in the Content Management feature. This allows users with the "Visitor" role to access draft content created by Editor,...

6.5CVSS5.9AI score0.00295EPSS
Exploits2References6
RedhatCVE
RedhatCVE
added 2025/12/14 5:3 a.m.13 views

CVE-2025-14540

The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userbackgetjson function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract...

4.3CVSS5.2AI score0.00212EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-17204

Malicious code in bioql PyPI...

4.3CVSS6.1AI score0.00575EPSS
Exploits0References4
Veracode
Veracode
added 2025/05/29 6:8 p.m.5 views

Unauthorized Access To Unpublished Page Previews

mautic/core is vulnerable to Unauthorized Access to unpublished page previews. The vulnerability is due to missing authorization checks on predictable preview URLs, allowing unauthenticated users and search engines to access and index draft content...

6.5CVSS6.8AI score0.00298EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder