CVE-2026-41127

BigBlueButton (open-source virtual classroom) prior to 3.0.24 has an authorization flaw that allows viewers to inject or overwrite captions; version 3.0.24 tightened permissions to submit captions. No known workarounds are provided. CVSS 3.1 base score is 6.5 (I: High, A: None, C: None; Privilege...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the commentable field in the API, which allows access to all commentable resources without permission checks. An attacker can retrieve sensitive information by sending unauthenticated requests to the /api...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the commentable field in the API, which allows access to all commentable resources without permission checks. An attacker can retrieve sensitive information by sending unauthenticated requests to the /api...

CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the loadcustomerinfo action in POST /conversation/ajax returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retriev...

CVE-2026-40570

FreeScout prior to 1.8.213 exposes sensitive customer data. The load_customer_info action at POST /conversation/ajax returns full customer profile data to any authenticated user without mailbox-access verification, requiring only a valid email to retrieve PII. Affected version range is before 1.8...

WordPress Responsive Blocks – Page Builder for Blocks & Patterns plugin 2.0.9-2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Modification vulnerability discovered by Even S in WordPress Plugin Responsive Blocks versions 2.0.9-2.2.1...

CVE-2026-6703

The CVE concerns the WordPress plugin “Responsive Blocks – Page Builder for Blocks & Patterns” (versions up to 2.2.1). The root cause is improper authorization verification, allowing authenticated attackers with contributor-level access or higher to modify global site-wide plugin configuration op...

Missing Authorization

Overview openmage/magento-lts is a This repository is the home of an unofficial community-driven project. Affected versions of this package are vulnerable to Missing Authorization through the MageWishlistSharedController shared wishlist item flow. An attacker can access or manipulate wishlist ite...

Exploit for CVE-2025-14364

CVE-2025-14364 Demo Importer Plus = 2.0.8 - Missing Author...

Exploit for CVE-2026-1937

CVE-2026-1937 YayMail = 4.3.2 - Missing Authorization to A...

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the channel setup. An attacker can gain unauthorized access to privileged plugin functionality by introducing untrusted workspace plugin shadows that are resolved...

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the approval authorization. An attacker can gain unauthorized approval rights by exploiting empty approver lists, allowing them to resolve pending approvals if th...

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization in the delivery queue recovery. An attacker can bypass group tool-policy enforcement for media replay by replaying recovered queued outbound media without the origin...

CVE-2026-35061

CVE-2026-35061 affects Anviz CX7 Firmware. The vulnerability allows retrieval of the most recently captured test photo without authentication, exposing sensitive operational imagery. The associated CVSS 3.1 metrics indicate an external network access vector with low attack complexity and no privi...

CVE-2026-35061 Anviz Products Missing Authorization

Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery...

CVE-2026-33093

CVE-2026-33093 — Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that triggers the front-facing camera to capture a photo, exposing visible information about the deployment environment. Affected product: Anviz CX7 Firmware. Reported impact: confidentiality loss (low) wit...

CVE-2026-33093 Anviz Products Missing Authorization

Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about the deployment environment...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the Connected Workspaces API. An attacker can change the displayed status of local users by connecting a malicious remote server using the Connected Workspaces feature. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the Connected Workspaces API. An attacker can change the displayed status of local users by connecting a malicious remote server using the Connected Workspaces feature. Remediation Upgrade...

EUVD-2026-23382

The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions function, which is exposed via two AJAX hooks: wpajaxupdateOptions class-canto.php line 231 an...