1108 matches found
CVE-2026-58252
A flaw was found in NATS Server. An authenticated user could bypass configured access restrictions and receive messages on subjects that were explicitly denied. This occurs when a wildcard subscription overlaps with a wildcard deny rule but is not a direct subset, or when queue subscriptions...
CVE-2026-58251
A flaw was found in NATS Server, a high-performance messaging system. An authenticated user with specific permissions could bypass security rules designed to deny access to certain message subjects. This bypass occurs when a queue subscription is used, allowing the user to access information that...
CVE-2026-58252
CVE-2026-58252 affects NATS Server prior to versions 2.14.0, 2.12.7, and 2.11.16. An authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it; queue subscriptions could also affect delivery...
EUVD-2026-42229
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the paymentpage function due to missing validation on the 'userid' user...
WordPress Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More plugin <= 2.2.0 - Other Vulnerability Type vulnerability
Other Vulnerability Type vulnerability discovered by dodoh4t in WordPress Plugin Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More versions = 2.2.0...
CVE-2026-57348
Unauthenticated Server Side Request Forgery SSRF in Paid Member Subscriptions = 3.0.4 versions...
CVE-2026-57348 WordPress Paid Member Subscriptions plugin <= 3.0.4 - Server Side Request Forgery (SSRF) vulnerability
Unauthenticated Server Side Request Forgery SSRF in Paid Member Subscriptions = 3.0.4 versions...
CVE-2026-57348
CVE-2026-57348 affects WordPress plugin Paid Member Subscriptions (versions <= 3.0.4). An unauthenticated server-side request forgery (SSRF) vulnerability exists in this plugin, enabling an attacker to induce the server to fetch arbitrary resources. The CVSSv3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C...
CVE-2026-10820
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user Subscriber+ to cancel other...
CVE-2026-10820
The CVE-2026-10820 entry concerns the WordPress plugin family “Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content” prior to version 4.16.17. The root cause is Insecure Direct Object Reference (IDOR): the system does not verify that the user init...
CVE-2026-56061
Unauthenticated Broken Access Control in Subscriptions for WooCommerce = 1.9.5 versions...
CVE-2026-56061 WordPress Subscriptions for WooCommerce plugin <= 1.9.5 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Subscriptions for WooCommerce = 1.9.5 versions...
EUVD-2026-39715
Unauthenticated Broken Access Control in Subscriptions for WooCommerce = 1.9.5 versions...
CVE-2026-56061
CVE-2026-56061 concerns the WordPress Subscriptions for WooCommerce plugin, affected versions
PT-2026-52768
Name of the Vulnerable Software and Affected Versions Subscriptions for WooCommerce versions prior to 1.9.6 Description An unauthenticated broken access control issue exists, allowing unauthorized users to bypass security restrictions. Recommendations Update to a version newer than 1.9.5...
WordPress Subscriptions for WooCommerce plugin <= 1.9.5 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin Subscriptions for WooCommerce versions = 1.9.5...
CVE-2026-6062
CVE-2026-6062 affects Mattermost versions 11.7.x ≤ 11.7.0, 11.6.x ≤ 11.6.2, 11.5.x ≤ 11.5.5, and 10.11.x ≤ 10.11.17. The issue is a logic flaw where the system fails to validate channel ownership of an existing subscription before applying edits, enabling an authenticated attacker to hijack subsc...
EUVD-2026-38250
Mattermost versions 11.7.x = 11.7.0, 11.6.x = 11.6.2, 11.5.x = 11.5.5, 10.11.x = 10.11.17 Fail to validate channel ownership of an existing subscription before applying edits which allows an authenticated attacker to hijack subscriptions from channels they have no access to via a crafted PUT...
GHSA-FCVX-5CXC-V5P8 OpenClaw: Slack reaction events could ignore reaction notification settings
Summary Slack reaction events could ignore reaction notification settings. In affected versions, a Slack reaction event delivered to the configured app could enter the agent pipeline even when reaction notifications were disabled. This advisory is scoped to the named feature and configuration. It...
GHSA-99F9-J8R3-P853 Hermes Agent creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644)
Hermes Agent before 0.16.0 creates responsestore.db and webhooksubscriptions.json with world-readable permissions mode 0o644, exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including...