Lucene search
K

18 matches found

CVE
CVE
added 2026/06/16 9:31 a.m.43 views

CVE-2026-2381

The CVE concerns the WooCommerce Stripe Payment Gateway plugin for WordPress, affected in all versions up to 10.7.0. Root cause: missing capability check and missing order ownership/order_key verification in the wc_stripe_pay_for_order WC‑AJAX endpoint, with only a nonce validation. Impact: unaut...

6.5CVSS5.3AI score0.00267EPSS
Exploits0References6
OSV
OSV
added 2026/05/14 8:27 p.m.13 views

GHSA-R472-MW7M-967F Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Cross-User File Access via Unchecked fileid in Folder Knowledge and Knowledge-Base Attach Endpoints Summary Multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the caller...

8.1CVSS5.8AI score0.00346EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/05/11 12:0 a.m.33 views

CVE-2026-38568

HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authoriz...

0.00231EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/21 3:20 p.m.11 views

OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure

Cross-user wishlist item import via shared wishlist code, leading to private option disclosure and file-disclosure variant Summary The shared wishlist add-to-cart endpoint authorizes access with a public sharingcode, but loads the acted-on wishlist item by a separate global wishlistitemid and nev...

5.4CVSS5.7AI score0.00176EPSS
Exploits1References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/10 1:24 a.m.2 views

CVE-2026-4057

The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the makeMediaPublic and makeMediaPrivate functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for editposts capability...

4.3CVSS5.9AI score0.00373EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/03/29 3:41 p.m.9 views

AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking

Summary The plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebroadcast runs under the...

6.3CVSS6AI score0.00249EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/03/27 7:36 p.m.3 views

EUVD-2026-16850

Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check...

8.7CVSS5.8AI score0.00406EPSS
Exploits0References2
OSV
OSV
added 2026/03/26 11:39 p.m.3 views

CVE-2026-29070 Open WebUI has unauthorized deletion of knowledge files

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin,...

5.4CVSS5.9AI score0.00252EPSS
Exploits1References3
OSV
OSV
added 2026/03/26 8:33 p.m.3 views

GO-2026-4850 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

6.9CVSS5.9AI score0.00205EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/25 9:21 p.m.6 views

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

Summary The DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target...

6.9CVSS5.8AI score0.00205EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/02/26 11:16 p.m.6 views

CVE-2026-28217

hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...

6.5CVSS0.00369EPSS
Exploits1References2
OSV
OSV
added 2026/02/26 10:49 p.m.6 views

CVE-2026-28230 In SteVe, any authenticated charger can terminate any other charger's active transaction (missing ownership verification on StopTransaction)

SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId a sequential integer starting from 1 without verifying that the requesting charger matches...

7.1CVSS5.8AI score0.0016EPSS
Exploits0References4
CVE
CVE
added 2026/01/15 6:45 a.m.20 views

CVE-2025-14457

CVE-2025-14457 affects the Drag and Drop Multiple File Upload for Contact Form 7 (WordPress) plugin. The root cause is a missing ownership check in dnd_codedropz_upload_delete(), allowing unauthenticated users to delete arbitrary uploaded files when the \

7.4CVSS5.3AI score0.00196EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/01/15 6:45 a.m.25 views

CVE-2025-14457 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dndcodedropzuploaddelete function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated...

3.7CVSS0.00196EPSS
Exploits0References2
Code423n4
Code423n4
added 2023/10/11 12:0 a.m.8 views

No validation allows unauthorized voting power transfer by any user.

Lines of code Vulnerability details Impact There is no check that the msg.sender is allowed to delegate votes on behalf of the sources. Any user could call delegateMulti and transfer voting power from other addresses. There should be a require statement to ensure msg.sender owns the tokens they a...

7.2AI score
Exploits0
OSV
OSV
added 2023/04/24 7:15 p.m.3 views

CVE-2023-1129

The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...

6.5CVSS6.9AI score0.00555EPSS
Exploits2References1
OSV
OSV
added 2021/04/28 9:15 p.m.13 views

CVE-2020-22785

Etherpad 1.8.3 is affected by a missing lock check which could cause a denial of service. Aggressively targeting random pad import endpoints with empty data would flatten all pads due to lack of rate limiting and missing ownership check...

7.5CVSS6.7AI score
Exploits0References1
OSV
OSV
added 2017/03/14 5:59 p.m.2 views

DEBIAN-CVE-2017-5985

lxc-user-nic in Linux Containers LXC allows local users with a lxc-usernet allocation to create network interfaces on the host and choose the name of those interfaces by leveraging lack of netns ownership check...

3.3CVSS5.3AI score0.00337EPSS
Exploits0References1
Rows per page
Query Builder