CVE-2026-28555 wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforocloseajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum...

CVE-2026-28554

CVE-2026-28554 affects wpForo Forum 2.4.14 and is due to a missing authorization vulnerability in the wpforo_approve_ajax handler. The nonce-only check allows authenticated subscribers to approve or unapprove any forum post by submitting a valid nonce with an arbitrary post ID, bypassing moderati...

CVE-2026-28554 wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforoapproveajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation...

PT-2026-22477

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14 Description An issue exists in wpForo Forum that allows authenticated subscribers to perform actions typically reserved for moderators. Specifically, attackers can move, merge, or split any forum topic using the top...

PT-2026-22476

Name of the Vulnerable Software and Affected Versions wpForo Forum version 2.4.14 Description The software contains a missing authorization flaw. Authenticated subscribers can close or reopen any forum topic through the wpforo close ajax handler. An attacker can bypass the moderator permission...

CVE-2026-28515

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this...

CVE-2026-28424

Statamic CMS contains a medium-severity exposure where email addresses were returned by the user fieldtype data endpoint for control panel users lacking the view users permission. Affected versions are prior to 5.73.11 and 6.4.0. The issue has been fixed in 5.73.11 and 6.4.0. The CVSS vector indi...

CVE-2026-28424 Statamic's missing authorization allows access to email addresses

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...

CVE-2026-28515 openDCIM <= 23.04 Missing Authorization in install.php

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this...

CVE-2026-28515 openDCIM <= 23.04 Missing Authorization in install.php

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this...

CVE-2026-28515

CVE-2026-28515 overview (openDCIM 23.04 and earlier commits 4467e9c4): The installer and upgrade/LDAP configuration endpoints (install.php and container-install.php) fail to enforce application role checks, allowing any authenticated user to modify configuration when REMOTE_USER is set or when cr...

Missing Authorization

Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Missing Authorization via the WebAuthnController::prepare endpoint in the Frontend WebAuthn API component. An unauthenticated attacker can create...

CVE-2026-27792

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...

CVE-2026-27792 Seerr missing authentication on pushSubscription endpoints

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...

GHSA-QMJJ-P7M9-WJRV @actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

In multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Affected Code File:...

Missing Authorization

Overview @actual-app/sync-server is an actual syncing server Affected versions of this package are vulnerable to Missing Authorization via the /sync/ endpoints due to missing verification that the authenticated user owns or has access to the targeted file. An attacker can access, modify, or...

@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

In multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID...

JetBrains TeamCity < 2025.11.3 Multiple Vulnerabilities

The version of JetBrains TeamCity installed on the remote host is prior to 2025.11.3. It is, therefore, affected by multiple vulnerabilities: - Open redirect was possible in the React project creation flow. CVE-2026-28194 - Missing authorization allowed project developers to add parameters to bui...

Dell Wyse Management Suite < 5.5 Multiple Vulnerabilities (DSA-2026-103)

The version of Dell Wyse Management Suite installed on the remote host is prior to 5.5. It is, therefore, affected by multiple vulnerabilities, including: - A missing authorization vulnerability that could allow a low privileged attacker with remote access to potentially exploit this vulnerabilit...

WordPress Japanized for WooCommerce plugin <= 2.8.4 - Missing Authorization to Unauthenticated Paidy Order Manipulation vulnerability

Missing Authorization to Unauthenticated Paidy Order Manipulation vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - cyberdogzmarketing.com | krei.dev | ogbuilders.io in WordPress Plugin Japanized For WooCommerce versions = 2.8.4...