22485 matches found
ROOT-OS-UBUNTU-2204-CVE-2026-43022 CVE-2026-43022 in rootio-linux - Patched by Root
Root has patched CVE-2026-43022 in the rootio-linux package for Root:Ubuntu:22.04. Multiple fixed versions available...
ROOT-OS-DEBIAN-12-CVE-2025-39751 CVE-2025-39751 in rootio-linux - Patched by Root
Root has patched CVE-2025-39751 in the rootio-linux package for Root:Debian:12. Multiple fixed versions available...
Zoho ManageEngine OpManager - SQL Injection
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL...
ionCube Tester Plus <= 1.3 - Local File Inclusion
The ionCube Tester Plus plugin for WordPress versions = 1.3 is vulnerable to unauthenticated arbitrary file read via path traversal. The 'ininame' parameter in loader-wizard.php is not properly sanitized, allowing attackers to read sensitive files such as wp-config.php and /etc/passwd without...
Danswer - Insecure Direct Object Reference
The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/fileid interface to view any user's file. id: CVE-2024-9617 info: name: Danswer - Insecure Direct Object Reference author: s4e-io severity: medium...
PraisonAI AgentOS - Information Disclosure
PraisonAI's AgentOS FastAPI application server exposes an unauthenticated GET /api/agents endpoint that lists every registered agent's name, role and the opening of its instructions system prompt. No authentication is enforced on the route, allowing a remote attacker to enumerate agent...
Masteriyo LMS <= 1.7.3 - Insecure Direct Object Reference
Authentication Bypass Using an Alternate Path or Channel vulnerability in Masteriyo Masteriyo - LMS. Unauth access to course progress.This issue affects Masteriyo - LMS: from n/a through 1.7.3. id: CVE-2024-33939 info: name: Masteriyo LMS = 1.7.3 - Insecure Direct Object Reference author:...
CVE-2026-44747
creationtimestamp| type| source ---|---|--- 2026-07-14 00:54:07+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mqkymgc6gn2r 2026-07-14 02:27:20+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mql5t5mr6v2x 2026-07-14 03:00:30+00:00| seen|...
CVE-2026-55771
CVE-2026-55771 affects CedarJava prior to 4.9.0, where EntityIdentifier.equals() has inverted null/self-reference checks, causing incorrect equality results in custom integrations. The bug does not alter Cedar’s authorization decisions (computed in Rust from JSON) but could affect external code p...
CVE-2026-61971 WordPress User Profile Picture plugin <= 2.6.3 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through = 2.6.3...
CVE-2026-61971
The CVE covers the WordPress plugin Metronet Profile Picture (Cozmoslabs User Profile Picture) insecure direct object references affecting versions
CVE-2026-57694 WordPress Tutor LMS plugin <= 3.9.13 - Insecure Direct Object References (IDOR) vulnerability
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.13...
CVE-2026-12274
CVE-2026-12274 affects the Tutor LMS WordPress plugin prior to 3.9.13. The underlying issue is that content-builder save handlers do not verify that the requesting user is authorized to edit the target post, instead authenticating only against an unrelated identifier. This allows authenticated us...
CVE-2026-12274 Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR
The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-leve...
CVE-2026-12271
The CVE describes a vulnerability in the Tutor LMS WordPress plugin prior to 3.9.13 where the system does not verify ownership of the targeted quiz attempt before writing to it. This allows authenticated users with subscriber-level access and above to modify and force-complete other students’ qui...
MINI-53JX-P9PJ-2M68
Bulletin has no description...
MINI-CFVV-PH5J-MRV8
Bulletin has no description...
kernel security, bug fix, and enhancement update
4.18.0-553.141.1 - Update Oracle Linux certificates Kevin Lyons - Disable signing for aarch64 Ilya Okomin - Oracle Linux RHCK Module Signing Key was added to the kernel trusted keys list olkmodsigningkey.pem Orabug: 29539237 - Update x509.genkey Orabug: 24817676 - Conflict with shim-ia32 and...
WordPress Academy LMS plugin <= 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference vulnerability
Authenticated Subscriber+ Insecure Direct Object Reference vulnerability discovered by sorawautsukushiii in WordPress Plugin Academy LMS versions = 3.8.0...
CVE-2026-10041
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfmproductarchive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...