CVE-2026-29189

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, the SuiteCRM REST API V8 has missing ACL Access Control List checks on several endpoints, allowing authenticated users to access and manipulate data they...

Arbitrary Code Injection

Overview kagura-ai is an Universal AI Memory Platform - MCP-native context management for all AI agents Affected versions of this package are vulnerable to Arbitrary Code Injection due to missing access restrictions in multiple tool endpoints, including codingindexsourcecode,...

CVE-2025-63958

MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint /MILLENSYS/settings that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An...

CVE-2025-63958

MILLENSYS Vision Tools Workspace 6.5.0.2585 exposes a sensitive configuration endpoint /MILLENSYS/settings that is accessible without authentication. This page leaks plaintext database credentials, file share paths, internal license server configuration, and software update parameters. An...

CVE-2025-55912

An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in photouploader.php to upload arbitrary files without any authentication, due to missing access controls in the upload handler...

CVE-2025-55912

An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in photouploader.php to upload arbitrary files without any authentication, due to missing access controls in the upload handler...

CVE-2025-55912

ClipBucket 5.5.0 and earlier versions are affected by an unauthenticated arbitrary file upload vulnerability in the plupload endpoint at photo_uploader.php due to missing access controls in the upload handler. Exploitation can lead to remote code execution by uploading crafted PHP files (as shown...

CVE-2025-55912

An issue in ClipBucket 5.5.0 and prior versions allows an unauthenticated attacker can exploit the plupload endpoint in photouploader.php to upload arbitrary files without any authentication, due to missing access controls in the upload handler...

CVE-2025-20323

In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search Bucket Copy Trigger within the Splunk Archiver application. This is because of missing access controls in the saved...

GO-2025-3600 Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server

Missing...

Information Exposure

Overview agpt is an An open-source attempt to make GPT-4 autonomous Affected versions of this package are vulnerable to Information Exposure due to missing access controls in the WebSocket API. Node execution updates were sent to any subscriber using a valid graphid and graphversion, allowing...

WordPress plugin Hive Support 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

U.S. Dept Of Defense: Exposed Extremely Sensitive Information in Public ZIP File

A publicly accessible ZIP file containing sensitive information, including SMTP credentials, database connection details, and AWS secret keys, was discovered. The sensitive data was exposed due to the lack of proper access controls and encryption. The exposed credentials could have been misused f...

CVE-2023-22813

A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS...

SUSE CVE-2017-11104

Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within the TSIG protocol implementation that would allow an attacker with a valid key name and algorithm to bypass TSIG authentication if no additional ACL restrictions are set, because of an improper TSIG validity period check...

Unprotected Ether Withdrawal

Lines of code Vulnerability details Description Due to missing or insufficient access controls, malicious parties can withdraw some or all Ether from the contract account. This bug is sometimes caused by unintentionally exposing initialization functions. By wrongly naming a function intended to b...

PT-2022-13187 · WordPress · Userswp

Name of the Vulnerable Software and Affected Versions: UsersWP WordPress plugin versions prior to 1.2.3.1 Description: The issue is related to missing access controls when updating a user avatar and the lack of unique file names for user avatars. This allows a logged-in user to overwrite another...

Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wpajaxheateorsssimportconfig AJAX action due to a missing capability check in the importconfig function found in the /admin/class-sassy-social-share-admin.php file along with the implementation...

Sassy Social Share 3.3.23 - Missing Access Controls to PHP Object Injection

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wpajaxheateorsssimportconfig AJAX action due to a missing capability check in the importconfig function found in the /admin/class-sassy-social-share-admin.php file along with the implementation...

WordPress PostX – Gutenberg Blocks for Post Grid plugin <= 2.4.9 - Missing Access Controls vulnerability

Missing Access Controls vulnerability discovered by apple502j in WordPress PostX – Gutenberg Blocks for Post Grid plugin versions = 2.4.9. Solution Update the WordPress PostX – Gutenberg Blocks for Post Grid plugin to the latest available version at least 2.4.10...