Lucene search
K

471 matches found

NVD
NVD
added 5 days ago5 views

CVE-2026-22659

FlaskBB through 2.2.0, fixed in commit acc88cf, contains an authorization bypass vulnerability that allows authenticated moderators to perform unauthorized actions on topics in forums they do not control by submitting crafted topic ID lists. Attackers can include a low-ID topic from a permitted...

8.1CVSS0.00284EPSS
Exploits0References3
NVD
NVD
added 2026/07/02 6:16 a.m.10 views

CVE-2026-5348

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to 'returntrue',...

5.3CVSS0.00262EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/02 5:35 a.m.38 views

CVE-2026-5348 Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to 'returntrue',...

5.3CVSS0.00262EPSS
Exploits0References8
CVE
CVE
added 2026/07/02 5:35 a.m.19 views

CVE-2026-5348

The CVE concerns the WordPress plugin Academy LMS (WordPress LMS Plugin for Complete eLearning Solution) up to version 3.8.1. The root cause is the REST API endpoint /topics being registered with a permission callback of __return_true, which permits unauthenticated access to course curriculum dat...

5.3CVSS5.8AI score0.00262EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/02 5:35 a.m.12 views

EUVD-2026-41250

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to 'returntrue',...

5.3CVSS5.8AI score0.00262EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/07/02 5:35 a.m.7 views

CVE-2026-5348

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to 'returntrue',...

5.3CVSS5.8AI score0.00262EPSS
Exploits0References9
Patchstack
Patchstack
added 2026/07/01 12:0 a.m.5 views

WordPress Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure vulnerability

Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Academy LMS versions = 3.8.1...

5.3CVSS5.8AI score0.00262EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/12 3:16 p.m.18 views

CVE-2026-10557

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers...

9.8CVSS0.00353EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/12 2:1 p.m.39 views

CVE-2026-7368 Yarbo Android/iOS Mobile Application and Cloud Infrastructure Missing Authorization

The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic...

8.6CVSS0.00259EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/12 2:1 p.m.9 views

CVE-2026-7368 Yarbo Android/iOS Mobile Application and Cloud Infrastructure Missing Authorization

The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic...

8.6CVSS5.3AI score0.00259EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 2:1 p.m.23 views

CVE-2026-7368

The CVE covers Yarbo Android/iOS mobile app and Yarbo cloud infrastructure where per-device/user authorization is not enforced. The system allows any client with valid credentials to subscribe to wildcard topics for all robots and publish to any robot’s command topic using only the robot’s serial...

8.6CVSS5.3AI score0.00259EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.34 views

PT-2026-48886

Name of the Vulnerable Software and Affected Versions Yarbo cloud affected versions not specified Description The cloud service fails to enforce per-device or per-user authorization. A client with valid credentials, including shared hard-coded credentials or legitimate per-user credentials, can...

8.6CVSS5.2AI score0.00259EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/10 9:8 p.m.32 views

CVE-2026-46679 libp2p: Memory DoS via subscription flood of unique topics

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...

7.5CVSS0.00278EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/10 9:8 p.m.10 views

CVE-2026-46679 libp2p: Memory DoS via subscription flood of unique topics

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...

7.5CVSS5.3AI score0.00278EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:22 p.m.11 views

CVE-2026-7415

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization...

9.8CVSS5.5AI score0.00544EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/06/02 3:50 p.m.13 views

CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

5.3CVSS5.8AI score0.00235EPSS
Exploits0References1
CVE
CVE
added 2026/06/02 3:50 p.m.19 views

CVE-2026-35443

NamelessMC (website software for Minecraft servers) is affected in version 2.2.4. The vulnerability lies in modules/Forum/classes/ForumPostReactionContext.php, where topic-level view_other_topics authorization is not re-enforced, allowing reactions on other users’ topics to be read and modified. ...

5.3CVSS5.8AI score0.00235EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/02 3:50 p.m.33 views

CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

5.3CVSS0.00235EPSS
Exploits0References1
OSV
OSV
added 2026/06/02 3:50 p.m.3 views

CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

5.3CVSS5.9AI score0.00235EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/02 3:30 p.m.16 views

EUVD-2026-33962

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4...

6.9CVSS5.7AI score0.00249EPSS
Exploits0References2
Rows per page
Query Builder