SAP Fiori app 安全漏洞

The SAP Fiori App is a corporate application developed by the German company SAP. The SAP Fiori App has a security vulnerability, which stems from failing to perform necessary authorization checks on authenticated users, potentially leading to privilege escalation...

SAP Strategic Enterprise Management 安全漏洞

SAP Strategic Enterprise Management is a corporate strategic management software developed by the German company SAP. There is a security vulnerability in SAP Strategic Enterprise Management, which stems from the lack of authorization checks, potentially allowing unauthorized access to informatio...

CVE-2026-25806 PlaciPy has Missing Authorization Checks on Student Management Endpoints (IDOR)

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do...

CVE-2026-2208

A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended ...

CVE-2026-2208 WeKan Rules rules.js RulesBleed authorization

A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended ...

EUVD-2026-5821

A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended ...

PT-2026-6947

Name of the Vulnerable Software and Affected Versions WeKan versions prior to 8.21 Description A security issue exists in WeKan related to missing authorization within the Rules Handler component. The problem resides in an unknown function of the file server/publications/rules.js. This can be...

CVE-2026-1499

The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the processaddsite AJAX action combined with path traversal in the file upload functionality. This...

CVE-2025-15476

The CVE-2025-15476 affects the WordPress plugin The Bucketlister, specifically versions up to 0.1.5. The root cause is a missing capability check in the bucketlister_do_admin_ajax() function, allowing authenticated attackers with Subscriber-level access (and higher) to add, delete, or modify arbi...

CVE-2025-15476 The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlisterdoadminajax function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and...

WordPress The Bucketlister plugin <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Bucket List Modification vulnerability discovered by Ivan Cese in WordPress Plugin The Bucketlister versions = 0.1.5...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the Delete function. An attacker can permanently remove entire repositories, including all associated data and history, by sending a DELETE request to the API endpoint while possessing only read-level access...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the Delete function. An attacker can permanently remove entire repositories, including all associated data and history, by sending a DELETE request to the API endpoint while possessing only read-level access...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade gogs.io/gogs/internal/database to...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade gogs.io/gogs/internal/osutil to...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the synchronization process when a repository file is deleted prior to synchronization. An attacker can cause the application to crash by deleting a repository file before synchronization as an authenticated...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the synchronization process when a repository file is deleted prior to synchronization. An attacker can cause the application to crash by deleting a repository file before synchronization as an authenticated...

CVE-2025-14079

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the ehcrmticketgeneral function combined with a shared nonce that is exposed to low-privileg...