EUVD-2026-19747

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

EUVD-2025-209272

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded toke...

CVE-2026-39348 OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specification and Vacancy Attachments

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifier...

CVE-2026-39348

CVE-2026-39348 affects OrangeHRM Open Source versions 5.0–5.8 where the AbstractFileController subclasses do not perform authorization checks for job specification and vacancy attachment downloads. This allows authenticated, low-privilege users to read attachments by directly referencing attachme...

CVE-2025-14944

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded toke...

CVE-2026-22680

OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/taskid routes withou...

CVE-2026-22680

The vulnerability affects OpenViking prior to version 0.3.3, where the task polling endpoints (/api/v1/tasks and /api/v1/tasks/{task_id}) allow unauthenticated access. Root cause: missing authorization on task polling exposes background task metadata (task type, status, resource identifiers, arch...

CVE-2025-14944 Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded toke...

CVE-2025-14944

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded toke...

CVE-2025-14944 Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage

The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded toke...

CVE-2025-14944

The CVE concerns the WordPress Backup Migration plugin and affects all versions up to 2.0.0. Root cause: missing capability check in initializeOfflineAjax and insufficient nonce verification, with hardcoded tokens exposed in the plugin’s JavaScript. This allows unauthenticated attackers to trigge...

Missing Authorization

Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Missing Authorization in the InlineModelAdmin.getformset function. An attacker can gain unauthorized access to add inline model...

Missing Authorization

Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Missing Authorization in the admin changelist forms using ModelAdmin.listeditable. An attacker can gain unauthorized access to...

CVE-2026-5383 runZero Explorer missing authorization check

An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L 4.4 Medium. This issue was fixed in...

CVE-2026-5383

Summary: CVE-2026-5383 affects runZero Explorer, described as an incorrect authorization (CWE-863) that could allow access to Explorer groups from outside the authorized organization scope. It is scored CVSSv3.1: AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L (4.4, Medium) and has been fixed in runZero Expl...

Missing Authorization

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Missing Authorization due to missing access-control validation in...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing access-control validation in the AJAX endpoint used for downloading saved model artifacts. An attacker can gain unauthorized access to model artifacts by directly querying this endpoint without prope...

EUVD-2026-19594

Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3...

CVE-2026-34899

Missing Authorization vulnerability in Eniture technology LTL Freight Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through 5.2.1...

CVE-2026-34903

Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3...