65767 matches found
EUVD-2026-33042
Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite component: Internal Operations. Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle...
CVE-2026-35277
Vulnerability in Oracle REST Data Services component: Core. Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can...
CVE-2026-35266
Vulnerability in Oracle REST Data Services component: Core. Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction...
CVE-2026-41160 EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw Broken Access Control in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first,...
CVE-2026-41160 EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw Broken Access Control in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first,...
CVE-2026-35672
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
USN-8339-1: OpenJDK 25 vulnerabilities
Thomas Beckers discovered that the JAXP component of OpenJDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access to sensitive information. CVE-2026-22016 It was discovered that the Networking component of...
CVE-2026-35672 phpMyFAQ - Authentication Bypass via Empty API Token
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
CVE-2026-35672
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
CVE-2026-35672
CVE-2026-35672 affects phpMyFAQ prior to 4.1.3 where the default API client token is an empty string. The authentication check compares the configured token to the request header x-pmf-token and uses strict inequality; if the header is empty, authentication is bypassed. This allows unauthenticate...
CVE-2026-35672 phpMyFAQ - Authentication Bypass via Empty API Token
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
MAL-2026-4837 Malicious code in my-test-package-2025-xyz (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 a2f3ab0a3c7ef9009c99575d9dd051c4a97575435cabf5d3a4c223f53bc47b89 During installation, the package opens a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...
CVE-2026-6937 Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointmen...
CVE-2026-8689 Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages and uploadData functions, where the wpajaxvisualizer-create-chart an...
CVE-2026-8689 Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages and uploadData functions, where the wpajaxvisualizer-create-chart an...
EUVD-2026-32745
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This mak...
CVE-2026-8689
The CVE concerns the Visualizer: Tables and Charts Manager for WordPress plugin (WordPress) with versions up to 3.11.14. Root cause: missing capability checks on renderChartPages() and uploadData(), enabling certain AJAX actions (wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and...
CVE-2026-9015 Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This mak...
CVE-2026-9015 Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This mak...
CVE-2026-8682 3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...