CVE-2026-25758 Spree allows unauthenticated users can access all guest addresses

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to...

Spree 安全漏洞

Spree is an open-source e-commerce platform developed using Ruby on Rails by a individual developer. Vulnerabilities exist in versions prior to Spree 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2. These vulnerabilities stem from insecure direct object references within the checkout process, which could...

Spree 安全漏洞

Spree is an open-source e-commerce platform developed using Ruby on Rails by a personal developer. Vulnerabilities exist in versions prior to Spree 5.0.8, 5.1.10, 5.2.7, and 5.3.2. These vulnerabilities allow unverified users to view completed guest orders, potentially leading to the disclosure o...

Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Unauthenticated users can view completed guest orders by Order ID GHSL-2026-029 The OrdersControllershow action permits viewing completed guest orders by order number alone, without requiring the associated order token. Order lookup without enforcing token requirement in OrdersControllershow: rub...

Unauthenticated Spree Commerce users can access all guest addresses

Summary A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information PII includi...

PT-2026-6726

Name of the Vulnerable Software and Affected Versions Spree versions prior to 5.0.8 Spree versions prior to 5.1.10 Spree versions prior to 5.2.7 Spree versions prior to 5.3.2 Description Spree, an open source e-commerce solution, contains a flaw where unauthenticated users can view completed gues...

CVE-2025-11598

In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended reopening the app would require the user to log in. The data exposed depends on the last application view...

CVE-2026-25483

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script...

Ministerstwo Cyfryzacji mObywatel 安全漏洞

Ministerstwo Cyfryzacji mObywatel is a national digital identity and government services application developed by the Polish Ministry of Digital Affairs. Versions of Ministerstwo Cyfryzacji mObywatel prior to version 4.71.0 contained a security vulnerability. This vulnerability allowed unauthoriz...

Match, Hinge, OkCupid, and Panera Bread breached by ransomware group

The ShinyHunters ransomware group has claimed the theft of data containing 10 million records belonging to the Match Group and 14 million records from bakery-café chain Panera Bread. Claims posted by ShinyHunters The Match Group, that runs multiple popular online dating services like Tinder,...

CVE-2026-0825 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download...

CVE-2025-59109

The dormakaba registration units 9002 PIN Pad Units have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the order GraphQL query. An attacker can access sensitive information, including personally identifiable information PII, by sending unauthorized queries to the API. Workaround This...

CVE-2025-14348 weMail <= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the x-wemail-user HTTP header to identif...

CVE-2026-23723

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an authenticated SQL Injection vulnerability was identified in the AtendidoocorrenciaControle endpoint via the idmemorando parameter. This flaw allows for full database exfiltration, exposure of sensitive PII, and potential...

CVE-2025-14982

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the...

CVE-2025-69581

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personaldata endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to...

CVE-2025-69581

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personaldata endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to...

CVE-2025-14982

The CVE-2025-14982 entry concerns the WordPress Booking Calendar plugin (versions ≤ 10.14.11). The vulnerability is Missing Authorization that enables an authenticated attacker with Subscriber privileges or higher to view all booking records and PII (names, emails, phones, addresses, payment stat...

CVE-2025-14982 Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the...