4789 matches found
Information Disclosure
Zabbix is vulnerable to an information disclosure. The vulnerability is due to the reuse of JavaScript Duktape contexts in Zabbix Server/Proxy, which allows a regular non-super administrator to leak sensitive data from hosts they are not authorized to access through shared global JavaScript...
CVE-2026-4683
The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77. This makes it possible for unauthenticated attackers to overwrite the plugin's...
EUVD-2026-30515
The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77. This makes it possible for unauthenticated attackers to overwrite the plugin's...
CVE-2026-4094
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'adminhead' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-lev...
EUVD-2026-30507
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'adminhead' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-lev...
CVE-2026-4094 FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'adminhead' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-lev...
CVE-2026-4094
The FOX – Currency Switcher Professional for WooCommerce WordPress plugin (versions up to and including 1.4.5) is affected by an unauthorized data-loss vulnerability due to a missing capability check on the admin_head function, enabling authenticated attackers with Contributor-level access (and s...
CVE-2025-54511
CVE-2025-54511 affects the AMD Secure Processor (ASP). The AMD bulletin and NVD entry state that improper handling of insufficient privileges could allow an attacker to provide an input value to a function without sufficient privileges and write data, potentially impacting integrity and availabil...
PT-2026-41268
Name of the Vulnerable Software and Affected Versions FOX – Currency Switcher Professional for WooCommerce versions prior to 1.4.6 Description The plugin is susceptible to unauthorized data loss because the admin head function lacks a proper capability check. Authenticated users with...
CVE-2026-44283
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user...
CVE-2026-44283
CVE-2026-44283 affects etcd, a distributed key-value store. The issue: in nested transaction operations, read access via PrevKv or lease attachment in Put requests can bypass RBAC authorization checks. This could allow an authenticated user with limited read or lease permissions to access data th...
CVE-2026-3829
The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'wplebasicgetrequests' function in all versions up to, and including, 7.8.5.10. This makes...
EUVD-2026-30228
The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'wplebasicgetrequests' function in all versions up to, and including, 7.8.5.10. This makes...
PT-2026-41199
Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.11 Description The API endpoint '/api/v1/notes/note id' lacks proper authorization checks, allowing authenticated users to retrieve notes belonging to other users by guessing or enumerating note id UUIDs. This...
CVE-2026-44448
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permitted role. This vulnerability is fixed in 15.102.0 and 16.11.0...
CVE-2026-3426
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the savewidget and resetallwidgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Author-lev...
mem0 server lacks authentication and authorization controls for its memory deletion API endpoint
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...
EUVD-2026-29362
Due to missing authorization check in SAP Strategic Enterprise Management Scorecard Wizard in Business Server Pages, an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and...
CVE-2026-40132
Due to missing authorization check in SAP Strategic Enterprise Management Scorecard Wizard in Business Server Pages, an authenticated attacker could access information that they are otherwise unauthorized to view. This vulnerability also enables the attacker to change the default settings and...
CVE-2026-31241
The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...