EUVD-2026-38780

Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata...

CVE-2026-57285

CVE-2026-57285: A missing permission check in Jenkins GitHub Branch Source Plugin (versions 1967.1969.v205fd594c821 and earlier) allows users with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration. Affected component: Jenkins Git...

CSRF vulnerability and missing permission check in zdevops

zdevops 1.1.3.50.ve350c9b450b1 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

CVE-2026-28587

CVE-2026-28587 affects the MmsSmsProvider component (MmsSmsProvider.java), enabling local information disclosure via a missing permission check. Exploitation requires no user interaction and does not require additional privileges; impact is confined to information disclosure. The vulnerability is...

PT-2026-50236

Name of the Vulnerable Software and Affected Versions Package Manager affected versions not specified Description A missing permission check in Package Manager allows for a device lock controller bypass. This issue enables local escalation of privilege without requiring additional execution...

EUVD-2026-37216

In smmuattachdev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

PT-2026-48423

Name of the Vulnerable Software and Affected Versions Jenkins versions prior to 2.568 Jenkins LTS versions prior to 2.555.3 Description A missing permission check allows attackers who possess the Item/Cancel permission, but lack the Item/Read permission, to cancel queue items that they are not...

EUVD-2026-33801

In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

CVE-2025-26418

In setUserDisclaimerAcknowledged of CarDevicePolicyService.java, there is a possible way to bypass the user dialog when adding an account to a managed device due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User...

EUVD-2026-33728

In addInputMethodListener of com.android.server.inputmethod.InputMethodManagerService, there is a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

Open WebUI: Missing permission check in files API allows authenticated users to list, access and delete every uploaded file

Summary A missing permission check in all files related API endpoints allows any authenticated user to list, access and delete every file uploaded by every user to the platform. Details All files/ related endpoints lack permission checks. Listing all files For example, let's see how file listing ...

WordPress plugin Forminator Forms 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-35913

A missing permission check in Jenkins Script Security Plugin 1399.ve6a 66547f6e1 and earlier allows attackers with Overall/Read permission to enumerate pending and approved Script Security classpaths...

CVE-2026-1930

The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pageoptionsajaxdisconnect function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2026-30269

Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/username. The role field is accepted by the update model without a manageusers permission check for self-updates, enabling privileg...

CVE-2026-34738 AVideo: Video Publishing Workflow Bypass via Unauthorized overrideStatus Request Parameter

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" a. This bypasses the admin-controlled moderation and dra...

EUVD-2026-13984

The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wpajaxnopriv without proper authentication checks, capability verificatio...

EUVD-2026-10469

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ExtensionController::updateitempermissionscheck' function in all versions up to, and including, 1.0.16. This...

CVE-2026-1920

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ExtensionController::updateitempermissionscheck' function in all versions up to, and including, 1.0.16. This...

CVE-2025-48634

In relayoutWindow of WindowManagerService.java, there is a possible tapjack attack due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...