Lucene search
K

4740 matches found

NVD
NVD
added 2 days ago6 views

CVE-2026-11880

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users...

3.1CVSS0.00139EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-11880 Fluent Forms < 6.2.1 - Subscriber+ Subscription Cancellation via IDOR

The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account to cancel subscriptions belonging to other users...

0.00139EPSS
Exploits0References1
CVE
CVE
added 2 days ago13 views

CVE-2026-11880

The CVE-2026-11880 entry concerns Fluent Forms WordPress plugin versions prior to 6.2.1, where ownership is not properly verified before processing a subscription cancellation request. This allows authenticated users with a low-privilege account to cancel subscriptions belonging to other users du...

3.1CVSS5.8AI score0.00139EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-40430

Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.createchannel permission can exploit a logic mismatch between existence validation and...

7.6CVSS5.8AI score0.00257EPSS
Exploits0References3
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-40416

yudao-cloud before 2026.06 contains a broken access control vulnerability in the BPM module that allows any authenticated user to access arbitrary process instance records by supplying a caller-controlled process-instance identifier to an unprotected endpoint lacking the @PreAuthorize annotation...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References4
NVD
NVD
added 3 days ago6 views

CVE-2026-56249

Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.createchannel permission can exploit a logic mismatch between existence validation and...

7.6CVSS0.00257EPSS
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-58447

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS0.00225EPSS
Exploits0References4
CVE
CVE
added 3 days ago6 views

CVE-2026-56249

Capgo before 12.128.2 has an authorization bypass in the channel creation endpoint that lets authenticated users overwrite existing channels by reusing names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations to reassign c...

7.6CVSS5.8AI score0.00257EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago21 views

CVE-2026-56249 Capgo - Unauthorized Channel Overwrite and Ownership Takeover via POST /channel Name Collision

Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.createchannel permission can exploit a logic mismatch between existence validation and...

7.6CVSS0.00257EPSS
Exploits0References2
CVE
CVE
added 3 days ago7 views

CVE-2026-58447

CVE-2026-58447 (Invidious) : A broken object-level authorization vulnerability affects Invidious up to version 2.20260626.0. An authenticated attacker can delete videos from other users’ playlists by supplying an arbitrary global video index to the remove_video endpoint, using per-video indices e...

7.1CVSS5.9AI score0.00225EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-58447 Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...

7.1CVSS0.00225EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago32 views

CVE-2026-27881 Coolify: Cross-team deployment information disclosure via GET /api/v1/deployments/{uuid} (IDOR)

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, GET /api/v1/deployments/uuid in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any...

5CVSS0.00162EPSS
Exploits0References1
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-54475 Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover

Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing...

0.00377EPSS
Exploits0References1
NVD
NVD
added 3 days ago12 views

CVE-2026-9576

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested groupid before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII name, email, phone, address, payment information from...

4.9CVSS0.00234EPSS
Exploits0References1
EUVD
EUVD
added 3 days ago4 views

EUVD-2026-40264

The Fluent Booking WordPress plugin before 2.1.2 does not verify ownership of the requested groupid before exporting attendee data via the export endpoint, allowing users with at least the Calendar Manager role to retrieve attendees' PII name, email, phone, address, payment information from...

4.9CVSS5.8AI score0.00234EPSS
Exploits0References1
CVE
CVE
added 3 days ago12 views

CVE-2026-9576

CVE-2026-9576 affects the Fluent Booking WordPress plugin (versions before 2.1.2). The vulnerability arises from not verifying ownership of the requested group_id before exporting attendees data via the export endpoint, allowing users with at least the Calendar Manager role to access attendees’ P...

4.9CVSS5.8AI score0.00234EPSS
Exploits0References1
NVD
NVD
added 4 days ago7 views

CVE-2026-57498

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId$teamId before any operation. However, multiple Livewire web UI components accept...

9.6CVSS0.00223EPSS
Exploits0References1
CVE
CVE
added 4 days ago10 views

CVE-2026-57498

CVE-2026-57498 affects Coolify. Before 4.0.0-beta.474, API controllers validated server ownership via Server::whereTeamId($teamId) for operations, but multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without team ownership validation. This enable...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-57498

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId$teamId before any operation. However, multiple Livewire web UI components accept...

9.6CVSS5.8AI score0.00223EPSS
Exploits0References2Affected Software1
NVD
NVD
added 4 days ago9 views

CVE-2026-57943

LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate sharedto relations without prop...

6CVSS0.0021EPSS
Exploits0References5
Rows per page
Query Builder