Lucene search
K

4792 matches found

Nuclei
Nuclei
added 19 hours ago12 views

WordPress Simple Job Board - Unauthorized Data Access

The Simple Job Board plugin for WordPress is vulnerable to unauthorized data access due to insufficient authorization checking in the fetchquickjob function in all versions up to and including 2.10.8. This makes it possible for unauthenticated attackers to fetch arbitrary posts, which can be...

5.3CVSS6.7AI score0.00909EPSS
Exploits0References3
Nuclei
Nuclei
added 19 hours ago157 views

Navidrome <=0.54.5 - Authentication Bypass in Subsonic API

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

6.9CVSS6.2AI score0.00936EPSS
Exploits1References1
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-1359 Genolve – AI image AI video generation <= 5.0.5 - Authenticated (Contributor+) Incorrect Authorization to Privilege Escalation via theopt

The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolvesetOpt function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-leve...

8.8CVSS0.00308EPSS
Exploits0References2
NVD
NVD
added 2 days ago7 views

CVE-2026-3552

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajaximport410 function in all versions up to 2.6.0. This is due to a missing capability check currentusercan and missing nonce verification...

4.3CVSS0.00213EPSS
Exploits0References8
NVD
NVD
added 4 days ago6 views

CVE-2026-9235

The DHL eCommerce Benelux for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the createlabel and deletelabel functions in versions up to, and including, 2.2.3. These functions are wir...

4.3CVSS0.00196EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago10 views

EUVD-2026-42558

The Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod function registered to the wpajaxlpcorderaffect AJAX action in versions up to, and including, 2.9.0...

4.3CVSS6AI score0.00196EPSS
Exploits0References5
NVD
NVD
added 5 days ago7 views

CVE-2026-57481

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS0.00386EPSS
Exploits0References7
Cvelist
Cvelist
added 5 days ago35 views

CVE-2026-57481 Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS0.00386EPSS
Exploits0References7
Cvelist
Cvelist
added 6 days ago28 views

CVE-2026-50530 DataEase: Token with Overly Broad Privileges in Share Mode: Access to Unshared Datasets

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...

7.1CVSS0.00238EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 6 days ago5 views

CVE-2026-50530

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...

7.1CVSS6AI score0.00238EPSS
Exploits0References4Affected Software1
OSV
OSV
added 6 days ago4 views

CVE-2026-50530 DataEase: Token with Overly Broad Privileges in Share Mode: Access to Unshared Datasets

DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing...

7.1CVSS6AI score0.00238EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/06 8:48 a.m.9 views

EUVD-2026-41860

An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user...

9.3CVSS5.9AI score0.00309EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 8:38 a.m.36 views

CVE-2026-24013 Apache IoTDB: Authentication Bypass via Forged SessionID in Thrift RPC

Authentication Bypass by Spoofing vulnerability in Apache IoTDB. Certain Thrift RPC query handlers lack strict validation of the sessionId parameter. An attacker can construct requests with a forged sessionId and, without performing openSession authentication, receive valid query results. This...

0.00471EPSS
Exploits0References1
CVE
CVE
added 2026/07/04 12:49 p.m.17 views

CVE-2025-13475

Technical details about CVE-2025-13475 are not publicly available in the provided documents. Monitor for updates.

7.3CVSS5.9AI score0.00158EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/07/04 12:49 p.m.40 views

CVE-2025-13475 Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants,...

3.5CVSS0.00158EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/03 3:33 p.m.9 views

EUVD-2026-41556

A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions FGAP v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not...

5.4CVSS5.9AI score0.00146EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/02 2:3 p.m.7 views

CVE-2026-8079

In Progress Flowmon versions prior to 12.5.9 and 13.0.11, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the PDF generation process that results in operations being performed with the privileges of another user, potentially leading to unauthorized...

8.7CVSS5.8AI score0.00182EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/07/02 2:2 p.m.17 views

CVE-2026-9272

CVE-2026-9272 affects Progress Flowmon ADS prior to 12.5.6 and 13.0.5. An adversary authenticated as a low-privileged ADS user can send specially crafted requests that lead to unauthorized access to and modification of application data. The CVE’s metrics indicate HIGH impact on confidentiality, i...

8.7CVSS5.8AI score0.00247EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/07/02 2:2 p.m.37 views

CVE-2026-9272 Possibility of unintended database operations when querying data related to detected anomalies in Progress Flowmon ADS

In Progress Flowmon ADS versions prior to 12.5.6 and 13.0.5, a vulnerability exists whereby an adversary who is authenticated as a low-privileged user in the Anomaly Detection System ADS may send specially crafted requests that could result in unauthorized access to application data and its...

8.7CVSS0.00247EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/02 5:35 a.m.6 views

CVE-2026-11600

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs and Off Canvas widget's template rendering in versions up to, and including, 1.4.26. The render method of the Tabs...

4.3CVSS5.7AI score0.00223EPSS
Exploits0References9
Rows per page
Query Builder