CVE-2026-39477

Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through = 2.2.3...

CVE-2026-39476

Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through = 1.10.1...

CVE-2026-4299

The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeatreceived function in the LiveUpdate class. This makes it possible for authenticated attackers, with...

CVE-2026-4124

The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wpajaxziggeoajax handler only verifies a nonce checkajaxreferer but performs no capability checks via currentusercan. Furthermore, the nonce 'ziggeoajaxnonce' is exposed to all...

CVE-2026-4162

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access a...

CVE-2026-22683

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

EUVD-2026-21992

Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-30811

Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-30811

CVE-2026-30811 affects Pandora FMS (versions 777–800) and is a Missing Authorization vulnerability exposed via a configuration Ajax endpoint, causing exposure of sensitive information. The NVD/NVD-derived data lists a CVSS4 base score of 8.4 (HIGH) with NETWORK attack vector, LOW complexity, and ...

CVE-2026-30811 Missing Authorization in Configuration Ajax Endpoint leads to Information Disclosure

Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-30811 Missing Authorization in Configuration Ajax Endpoint leads to Information Disclosure

Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-30811

Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800...

WordPress Gravity SMTP plugin <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Uninstall vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Gravity SMTP versions = 2.1.4...

BIT-GITLAB-2025-9484 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in state-changing routes. An attacker can upload or delete files, create directories, and remove access control policies by sending unauthenticated requests to endpoints such as...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in state-changing routes. An attacker can upload or delete files, create directories, and remove access control policies by sending unauthenticated requests to endpoints such as...

GHSA-W8JJ-CWMC-WGQ2 Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

Summary The system log endpoints GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary...

Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

Summary The system log endpoints GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing authorization checks in the GetSystemLogs, SSESubscribeSystemLogs, and WSSubscribeSystemLogs endpoints. A non-admin user can access sensitive server log information, including error stack traces,...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to the lack of a RequireScopes call in internal/router/comment.go comment panel admin endpoint. An attacker can gain unauthorized access to comment moderation operations, including listing, approving, rejecting...