21206 matches found
CVE-2026-7051 Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2SPostTools::deleteUserPublishPost and B2SPostTools::deleteUserSchedPost functions,...
EUVD-2026-29899
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2SPostTools::deleteUserPublishPost and B2SPostTools::deleteUserSchedPost functions,...
CVE-2026-7051 Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2SPostTools::deleteUserPublishPost and B2SPostTools::deleteUserSchedPost functions,...
CVE-2025-9988 Broadstreet <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation
The Broadstreet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the createadvertiser AJAX action in all versions up to, and including, 1.53.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create...
CVE-2025-9988
CVE-2025-9988 affects the WordPress Broadstreet plugin (versions
CVE-2025-9988 Broadstreet <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation
The Broadstreet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the createadvertiser AJAX action in all versions up to, and including, 1.53.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create...
WordPress My Calendar – Accessible Event Manager plugin <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication vulnerability
Authenticated Custom+ Missing Authorization to Unauthorized Event Publication vulnerability discovered by type5afe in WordPress Plugin My Calendar versions = 3.7.9...
PT-2026-40563
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S Post Tools::deleteUserPublishPost and B2S Post Tools::deleteUserSchedPost...
Gitlab -- vulnerabilities
Gitlab reports: Cross-site Scripting issue in Analytics dashboard chart rendering impacts GitLab EE Cross-site Scripting issue in global search impacts GitLab CE/EE Cross-site Scripting issue in Duo Agent output rendering impacts GitLab EE Cross-site Scripting issue in Analytics Dashboard impacts...
CVE-2026-44341 GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint
GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...
CVE-2026-5371 MonsterInsights <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset
The MonsterInsights – Google Analytics Dashboard for WordPress Website Stats Made Easy plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the getadsaccesstoken and resetexperience functions in all versions up to, and including,...
CVE-2026-44010 Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver src/gql/resolvers/elements/Address.php performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read ever...
EUVD-2026-29636
Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network...
GHSA-GQ6F-QWV9-RF4J mem0 server lacks authentication and authorization controls for its memory deletion API endpoint
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...
EUVD-2026-29536
Missing Authorization vulnerability in WPMU DEV Hustle allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hustle: through 7.8.10.1...
EUVD-2026-29544
Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : Devolutions Server...
CVE-2026-35438
Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network...
CVE-2026-31241
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...
CVE-2026-26083
A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSandbox PaaS 23.1 all versions, FortiSandbox PaaS 22.2 all...
CVE-2026-8407
Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : Devolutions Server...