56 matches found
CVE-2026-14250
The Themehunk Login Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.2. This is due to the handlefrontendregister function in the unauthenticated /thlogin/v1/register REST endpoint accepting a user-controlled 'role' parameter and...
CVE-2026-14250
The CVE-2026-14250 issue affects the Themehunk Login Registration plugin for WordPress up to version 1.0.2. The root cause is in handle_frontend_register() at the unauthenticated /thlogin/v1/register REST endpoint, which accepts a user-controlled role parameter and validates it only against get_e...
EUVD-2026-41733
A flaw has been found in SourceCodester Onlne Examination & Learning Management System 1.0. The impacted element is an unknown function of the file register.php of the component Registration Endpoint. Executing a manipulation of the argument role can lead to improper privilege management. The...
CVE-2026-14719
A flaw has been found in SourceCodester Onlne Examination & Learning Management System 1.0. The impacted element is an unknown function of the file register.php of the component Registration Endpoint. Executing a manipulation of the argument role can lead to improper privilege management. The...
PT-2026-55773
Name of the Vulnerable Software and Affected Versions SourceCodester Onlne Examination & Learning Management System version 1.0 Description An issue exists in the Registration Endpoint within the register.php file. A remote attacker can manipulate the role argument to cause improper privilege...
EUVD-2025-210337
Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...
CVE-2025-71327
Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...
EUVD-2026-38999
Missing Authentication for Critical Function CWE-306 in the RegisterView apps/accounts/views.py, exposed at POST /api/auth/register/, in MailerUp 1.0.1 allows a remote, unauthenticated attacker to self-register a working account on instances where registration is intended to be restricted, becaus...
PT-2026-51838
Name of the Vulnerable Software and Affected Versions MailerUp versions prior to 1.0.1 Description Missing authentication for a critical function in the RegisterView apps/accounts/views.py allows a remote, unauthenticated attacker to self-register an account on instances where registration should...
CVE-2026-42230 n8n: Open Redirect in MCP OAuth Consent Flow
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirecturi values to be registered. When a user denies the MCP OAuth consent dialog,...
n8n 输入验证错误漏洞
n8n is an open-source, scalable workflow automation tool developed by n8n. Versions of n8n prior to 1.123.32, 2.17.4, and 2.18.1 contained a vulnerability related to input validation errors. This vulnerability stemmed from the /mcp-oauth/register endpoint, which allowed unauthenticated OAuth clie...
VulnCheck KEV: CVE-2025-59716
ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/email/token endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user...
CVE-2026-2375
The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the verifyrole function in AuthTrails.php explicitly whitelisting the wcfmvendor role alongside subscriber and...
CVE-2026-2375
The CVE covers the App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress. Affected: plugin version range up to 5.5.10 on WordPress sites using WCFM Marketplace. Root cause: verify_role() in AuthTrails.php explicitly whitelists the wcfm_vendor role alongside subscriber ...
CVE-2026-24097 Authenticated Host Enumeration via Observable Response Discrepancy on Agent Register Existing Endpoint
Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 EOL allows authenticated users to enumerate existing hosts by observing different HTTP response codes in agent-receiver/registerexisting endpoint, which could lead to information disclosure...
Simple Responsive Tourism Website 代码注入漏洞
Simple Responsive Tourism Website is a simple responsive tourism website. Version 1.0 of Simple Responsive Tourism Website has a code injection vulnerability. This vulnerability stems from incorrect handling of the parameters firstname, lastname, and username in the...
Outray cli is vulnerable to race conditions in tunnels creation
Summary A TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. Details Affected conponent: apps/web/src/routes/api/tunnel/register.ts - /tunnel/register endpoint code-: ts // Check if tunnel already exists in database const...
EUVD-2025-203498
The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /dokan/v1/wholesale/register REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve...
CVE-2025-12809 dokan pro <= 4.1.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure
The Dokan Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /dokan/v1/wholesale/register REST API endpoint in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to enumerate users and retrieve...
CVE-2025-12809
CVE-2025-12809 : Dokan Pro (WordPress plugin) suffers an unauthenticated access flaw on REST endpoint /dokan/v1/wholesale/register due to a missing authorization check, enabling user data enumeration (emails, usernames, display names, roles, registration dates). Wordfence reports this and notes t...