18 matches found
CVE-2026-2381
The CVE concerns the WooCommerce Stripe Payment Gateway plugin for WordPress, affected in all versions up to 10.7.0. Root cause: missing capability check and missing order ownership/order_key verification in the wc_stripe_pay_for_order WC‑AJAX endpoint, with only a nonce validation. Impact: unaut...
GHSA-R472-MW7M-967F Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints
Cross-User File Access via Unchecked fileid in Folder Knowledge and Knowledge-Base Attach Endpoints Summary Multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the caller...
CVE-2026-38568
HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/ and /interview/ endpoints. The route handlers retrieve records by the user-supplied ID without verifying that the requesting user is the owner or has an authoriz...
OpenMage LTS: Cross-user wishlist import leads to private option & file disclosure
Cross-user wishlist item import via shared wishlist code, leading to private option disclosure and file-disclosure variant Summary The shared wishlist add-to-cart endpoint authorizes access with a public sharingcode, but loads the acted-on wishlist item by a separate global wishlistitemid and nev...
CVE-2026-4057
The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the makeMediaPublic and makeMediaPrivate functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for editposts capability...
AVideo: Missing Authorization in Playlist Schedule Creation Allows Cross-User Broadcast Hijacking
Summary The plugin/PlayLists/View/Playlistsschedules/add.json.php endpoint allows any authenticated user with streaming permission to create or modify broadcast schedules targeting any playlist on the platform, regardless of ownership. When the schedule executes, the rebroadcast runs under the...
EUVD-2026-16850
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check...
CVE-2026-29070 Open WebUI has unauthorized deletion of knowledge files
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, an access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin,...
GO-2026-4850 Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api
Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...
Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion
Summary The DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target...
CVE-2026-28217
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.0, the userCollection GraphQL query accepts an arbitrary collection ID and returns the full collection data — including title, type, and the serialized data field containing HTTP requests with headers and potentially...
CVE-2026-28230 In SteVe, any authenticated charger can terminate any other charger's active transaction (missing ownership verification on StopTransaction)
SteVe is an open-source EV charging station management system. In versions up to and including 3.11.0, when a charger sends a StopTransaction message, SteVe looks up the transaction solely by transactionId a sequential integer starting from 1 without verifying that the requesting charger matches...
CVE-2025-14457
CVE-2025-14457 affects the Drag and Drop Multiple File Upload for Contact Form 7 (WordPress) plugin. The root cause is a missing ownership check in dnd_codedropz_upload_delete(), allowing unauthenticated users to delete arbitrary uploaded files when the \
CVE-2025-14457 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing ownership check in the dndcodedropzuploaddelete function in all versions up to, and including, 1.3.9.2. This makes it possible for unauthenticated...
No validation allows unauthorized voting power transfer by any user.
Lines of code Vulnerability details Impact There is no check that the msg.sender is allowed to delegate votes on behalf of the sources. Any user could call delegateMulti and transfer voting power from other addresses. There should be a require statement to ensure msg.sender owns the tokens they a...
CVE-2023-1129
The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users...
CVE-2020-22785
Etherpad 1.8.3 is affected by a missing lock check which could cause a denial of service. Aggressively targeting random pad import endpoints with empty data would flatten all pads due to lack of rate limiting and missing ownership check...
DEBIAN-CVE-2017-5985
lxc-user-nic in Linux Containers LXC allows local users with a lxc-usernet allocation to create network interfaces on the host and choose the name of those interfaces by leveraging lack of netns ownership check...