PT-2026-39748

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in the URL path, but fetches downloadable items solely by attacker-provided IDs without constraining...

CVE-2025-62086

The CVE-2025-62086 entry corresponds to a WordPress plugin issue: Яндекс Доставка (Boxberry) for WordPress, vulnerable to Missing Authorization/Broken Access Control in versions up to 2.32 (some sources list fixes up to 2.34). Root cause is misconfigured access control allowing unauthorized acces...