CVE-2026-49288

Statamic CMS patch for CVE-2026-49288 fixes a missing authorization on Control Panel fieldtype endpoints that allowed an authenticated CP user to view restricted metadata and content (entries, assets, users, roles, groups, etc.). The issue could disclose titles, custom field values, entry content...

CVE-2026-49288 Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

WordPress WP Hotel Booking plugin < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability

Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability discovered by Sanjorn Keeratirungsan in WordPress Plugin WP Hotel Booking versions 2.3.1...

CVE-2026-6798 2Download Connector for 2DL Hosted Checkout <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via 'ToDownload_email' Parameter

The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

CVE-2026-10779

The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the galleryimageupdateasfeature AJAX handler action:...

CVE-2026-9822

The CVE-2026-9822 entry concerns the WP Hotel Booking WordPress plugin prior to version 2.3.1. Root cause: missing capability checks in several AJAX handlers. Impact: authenticated users with Subscriber-level access can read other users’ booking line items, enumerate active coupons, and read pric...

CVE-2026-10034 WP DSGVO Tools (GDPR) <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure via subject-access-request AJAX Endpoint (process_now/is_ajax Parameters)

The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.39. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to supply an...

CVE-2026-10779 Classified Listing <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'/'id' Parameters)

The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the galleryimageupdateasfeature AJAX handler action:...

CVE-2026-10779

CVE-2026-10779 affects the WordPress Classified Listing plugin (versions

PT-2026-51033

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Online affected versions not specified Description Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. There have been reports of elevated activities targeti...

CVE-2026-52866 Apollo Pharmacy Blood Glucose Monitoring System APG-01 BT Missing Authorization

An attacker within BLE communication range can monopolize the device's only available BLE connection slot, preventing legitimate users or applications from establishing a connection...

CVE-2026-52866

The CVE-2026-52866 entry concerns the Apollo Pharmacy Blood Glucose Monitoring System APG-01 with BT lacking authorization in BLE. The connected docs provide concrete details: an attacker in BLE range can monopolize the device’s only available BLE connection slot, blocking legitimate users/applic...

CVE-2026-49205

phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $this-userHasPermissionPermissionType::BACKUP. The same fix was not applied to 4 other write endpoints...

CVE-2026-49205

phpMyFAQ versions before 4.1.4 have Missing Authorization in the API CategoryController, where four write endpoints (POST /api/v4.0/category, POST /api/v4.0/faq, PUT /api/v4.0/faq, POST /api/v4.0/question) relied on a shared token check instead of per-user permissions. This allowed insufficient a...

WordPress Bogo plugin <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by Andrew Lacambra in WordPress Plugin Bogo versions = 3.9.1...

WordPress Classified Listing – AI-Powered Classified ads & Business Directory plugin <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Feature Modification vulnerability discovered by Ben Tamam Ben Tamam in WordPress Plugin Classified Listing versions = 5.4.2...

Microsoft Exchange Online Elevation of Privilege Vulnerability

Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network...

CVE-2026-12407

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screenaction function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path...

CVE-2026-12407

CVE-2026-12407 affects the E2Pdf – Export Pdf Tool for WordPress plugin versions up to 1.32.26. The screen_action() path bypasses nonce and capability checks, reading attacker-controlled options from $_POST['wp_screen_options'] and passing them to update_option() with no allowlist, enabling authe...

CVE-2026-12407 E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screenaction function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path...