PT-2026-27841

Name of the Vulnerable Software and Affected Versions Jobs for WordPress versions through 2.8 Description An authorization issue exists in BlueGlass Interactive AG Jobs for WordPress job postings. This allows exploitation of incorrectly configured access control security levels. Recommendations...

PT-2026-27844

Name of the Vulnerable Software and Affected Versions Booking and Rental Manager versions n/a through 2.6.0 Description An authorization issue exists in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce. This is due to incorrectly configured access control...

PT-2026-27882

Name of the Vulnerable Software and Affected Versions raratheme Education Zone versions through 1.3.8 Description An authorization issue exists in raratheme Education Zone. The issue involves exploiting incorrectly configured access control security levels. Recommendations Update Education Zone t...

PT-2026-27814

Name of the Vulnerable Software and Affected Versions My Album Gallery versions through 1.0.4 Description An authorization issue exists in Ruhul Amin My Album Gallery. The issue involves exploiting incorrectly configured access control security levels. Recommendations Update My Album Gallery to a...

PT-2026-27945

Name of the Vulnerable Software and Affected Versions CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms versions through 1.2.2 Description An authorization issue exists in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms...

PT-2026-27808

Name of the Vulnerable Software and Affected Versions Metagauss EventPrime versions n/a through 4.2.6.0 Description A missing authorization flaw exists in Metagauss EventPrime eventprime-event-calendar-management. This issue allows exploitation of incorrectly configured access control security...

PT-2026-27939

Name of the Vulnerable Software and Affected Versions Arni Cinco WPCargo Track & Trace versions n/a through 8.0.2 Description An authorization issue exists in Arni Cinco WPCargo Track & Trace wpcargo due to incorrectly configured access control security levels. This allows for exploitation of the...

PT-2026-27865

Name of the Vulnerable Software and Affected Versions Elated Listing versions n/a through 1.4 Description A missing authorization flaw exists in Elated-Themes Elated Listing eltd-listing. This issue stems from incorrectly configured access control security levels, potentially allowing unauthorize...

PT-2026-27850

Name of the Vulnerable Software and Affected Versions loopus WP Cost Estimation & Payment Forms Builder versions prior to 10.3.0 Description An authorization issue exists in loopus WP Cost Estimation & Payment Forms Builder’s WP Estimation Form component. The issue stems from incorrectly configur...

Kibana 8.x < 8.19.12 / 9.x < 9.2.6 / 9.3.x < 9.3.1 Missing Authorization (ESA-2026-19)

The version of Kibana installed on the remote host is prior to 8.19.12, 9.2.6, or 9.3.1. It is, therefore, affected by a vulnerability as referenced in the ESA-2026-19 advisory. - Missing Authorization CWE-862 in Kibana's server-side Detection Rule Management can lead to Unauthorized Endpoint...

PT-2026-27966

Name of the Vulnerable Software and Affected Versions Kaira StoreCustomizer versions prior to 2.6.4 Description An authorization issue exists in Kaira StoreCustomizer woocustomizer, allowing exploitation of incorrectly configured access control security levels. The issue affects the way access...

PT-2026-27935

Name of the Vulnerable Software and Affected Versions CoderPress Commerce Coinbase For WooCommerce versions through 1.6.6 Description An authorization issue exists in CoderPress Commerce Coinbase For WooCommerce commerce-coinbase-for-woocommerce. The issue involves exploiting incorrectly configur...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization in the actionMoveToSection process. An attacker can perform unauthorized content changes by sending crafted POST requests to the affected endpoint, allowing them to move...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the assets/image-editor endpoint. An attacker can access private editor metadata, including focalPoint, for assets they are not authorized to view by supplying the I...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the assets/generate-transform endpoint. An attacker can access content derived from private assets by submitting requests with arbitrary asset references, as the...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the ConfigSyncController process. An attacker can perform unauthorized configuration synchronization operations by sending crafted requests to endpoints such as...

WordPress Smart Custom Fields plugin <= 5.0.6 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Relational Post Search vulnerability

Missing Authorization to Authenticated Contributor+ Sensitive Information Exposure via Relational Post Search vulnerability discovered by darkmode in WordPress Plugin Smart Custom Fields versions = 5.0.6...

CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

CVE-2026-33676

Summary: Vikunja, an open-source self-hosted task manager, has a cross-project information disclosure in its API. Before 2.2.1, when returning tasks, the API fills the related_tasks field with full task objects for all related tasks without verifying the requester’s read permission on those proje...

CVE-2026-33676 Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...