CVE-2026-3143 Total Upkeep <= 1.17.1 - Missing Authorization to Unauthenticated Rollback Cancellation

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxclicancel' function in all versions up to, and including, 1.17.1. This makes it possible for...

CVE-2026-33318 Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...

CVE-2026-41191

FreeScout vulnerability detail: before 1.8.215, MailboxesController::updateSave() persists chat_start_new outside the allowed-field filter. A user with only the mailbox sig permission can alter the hidden mailbox-wide chat setting via direct POST, despite UI restricting to the signature field. Ve...

EUVD-2026-16557

A flaw was found in firewalld. A local unprivileged user can exploit this vulnerability by mis-authorizing two runtime D-Bus Desktop Bus setters, setZoneSettings2 and setPolicySettings. This mis-authorization allows the user to modify the runtime firewall state without proper authentication,...

CVE-2026-1674

CVE-2026-1674 affects Gutena Forms for WordPress (all versions

CVE-2026-0653

CVE-2026-0653 affects TP-Link Tapo C260 v1 and D235 v1. A guest-level authenticated user can bypass access controls by sending crafted requests to a synchronization endpoint, enabling modification of protected device settings with limited privileges. Root cause: insufficient access control leadin...

📄 Casdoor 2.284.0 / 2.285.0 Cross Site Request Forgery

Casdoor versions 2.284.0 and 2.285.0 suffer a cross site request forgery vulnerability that was originally discovered in an earlier version but has not been addressed. Related CVE number: CVE-2023-34927. Exploit Title: Casdoor v2.284.0 2026-02-03 & v2.285.0 2026-02-03 - Cross-Site Request Forgery...

PT-2025-52704

Name of the Vulnerable Software and Affected Versions Screen SFT DAB 600/C version 1.9.3 Description The Screen SFT DAB 600/C firmware contains a flaw that permits unauthorized modification of the administrator password without current credentials. An attacker can exploit this by sending a...

CVE-2025-65010

WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has...

CVE-2025-65010

CVE-2025-65010 (WODESYS WD-R608U router / WDR122B V2.0 / WDR28) is documented with concrete details: multiple Red Hat and NVD entries describe vulnerabilities tied to the WD-R608U platform. Affected issues include Broken Access Control in the initial configuration wizard.cgi endpoint, where an at...

EUVD-2018-2579

Malware in sbrugna...

EUVD-2021-19278

Malware in sbrugna...

EUVD-2025-29122

Malicious code in bioql PyPI...

EUVD-2022-47584

Malicious code in bioql PyPI...

CVE-2025-10204

A vulnerability has been discovered in AC Smart II where passwords can be changed without authorization. This page contains a hidden form for resetting the administrator password. The attacker can manipulate the page using developer tools to display and use the form. This form allows you to chang...

Linux Distros Unpatched Vulnerability : CVE-2024-12431

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in GitLab CE/EE affecting all versions starting from 15.5 before 17.5.5, 17.6 before 17.6.3, and 17.7 before 17.7.1, in which unauthoriz...

CVE-2025-55367

Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account...

Configuration Download Detected (High)

The system detected a change in the controller configuration that was made via the network. An attacker may use configuration changes to disrupt normal operations, to cause production losses, or to create a security threat. This plugin only works with Tenable.ot. Please visit...

CVE-2024-50192 irqchip/gic-v4: Don't allow a VMOVP on a dying VPE

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Kunkun Jiang reported that there is a small window of opportunity for userspace to force a change of affinity for a VPE while the VPE has already been unmapped, but the...

lunary 安全漏洞

Lunary is a production toolkit for LLM that is open sourced by lunary. A security vulnerability exists in lunary that stems from allowing a deleted user to change the name of an organization without authorization...