4784 matches found
CVE-2026-6897
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...
epa4all-client 访问控制错误漏洞
epa4all-client is an open-source document writing client tool developed by Oviva AG. Versions of epa4all-client prior to 1.2.4 contained a security vulnerability related to access control. This vulnerability allowed arbitrary network-accessible callers to write arbitrary documents into patients’...
CVE-2026-28380
A flaw was found in Grafana. An authenticated user with editor privileges could exploit a Broken Access Control BAC vulnerability in the Snapshot API. This flaw allows an editor to delete any dashboard snapshot, even those they do not have explicit read or write access to, leading to unauthorized...
ROS-20260524-73-0006
A vulnerability in the JGSS component of the Oracle Java SE software platform, Oracle GraalVM for JDK and Oracle GraalVM Enterprise Edition virtual machines is associated with a breach of the data protection mechanism. Exploitation of the vulnerability could allow a remote attacker to gain...
CVE-2026-6897
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...
CVE-2026-6898 WishList Member <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key via 'wlm3_generate_api_key' AJAX action
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...
PT-2026-42865
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMemberFeaturesTeam Accounts::save settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...
CVE-2022-31231
Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management IAM module. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to gaining read access to unauthorized data...
CVE-2022-31231
Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management IAM module. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to gaining read access to unauthorized data...
CVE-2026-8347
The CVE-2026-8347 entry affects Concrete CMS 9.5.0 and earlier, where the Express association Reorder dialog is vulnerable to IDOR and wrong-authorization-level handling, enabling cross-entity state tampering under view-only permissions. The issue is triggered by reliance on Express entity orderi...
CVE-2026-44409
There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure...
CVE-2026-44409
Technical details about CVE-2026-44409 are not publicly available in the provided documents. No explicit affected versions, root cause specifics, exploit information, or mitigations are present. Monitor for updates from vendors and security feeds.
CVE-2026-44409
There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure...
Malicious code in @shwfed/nuxt (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 87ac343d6f89a601749bb115fa6902e7d39c71a0a6469690ecef56e9ea8a135e @shwfed/nuxt is published as a Nuxt UI module but contains undocumented build-hook code that, when a consumer integrates the module and runs a build...
Dell ECS 访问控制错误漏洞
Dell ECS is an enterprise-level object storage solution from the American company Dell. Versions 3.5 and 3.6 of Dell ECS contain access control vulnerability issues. This vulnerability stems from improper access control in the identity and access management module, which may allow remote...
PT-2026-42777
Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management IAM module. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to gaining read access to unauthorized data...
Unity Linux 20.1070e Security Update: hibernate (UTSA-2026-016690)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016690 advisory. A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit...
CVE-2026-4843
The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the processajaxrestoreaction function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2026-4843 GSheet For Woo Importer <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset
The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the processajaxrestoreaction function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2026-4843
The CVE-2026-4843 entry concerns the WordPress plugin “GSheet For Woo Importer.” All versions up to 2.3.1 are affected by a missing capability check in process_ajax_restore_action(), enabling authenticated users with Subscriber-level access or higher to delete the plugin’s Google Sheets API token...