CVE-2026-41838

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...

EUVD-2026-35325

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...

CVE-2026-41838 Spring Framework Predictable Session ID in WebSocket Module

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...

CVE-2026-41838

Spring Framework's WebSocket session IDs in the spring-websocket module are not cryptographically unpredictable, enabling potential session hijacking in environments with weak authorization. Affected: Spring Framework 7.0.0–7.0.7; 6.2.0–6.2.18; 6.1.0–6.1.27; 5.3.0–5.3.48. Risk summary: predictabl...

PT-2026-47649

Name of the Vulnerable Software and Affected Versions Spring Framework versions 7.0.0 through 7.0.7 Spring Framework versions 6.2.0 through 6.2.18 Spring Framework versions 6.1.0 through 6.1.27 Spring Framework versions 5.3.0 through 5.3.48 Description WebSocket session IDs in the spring-websocke...

VMware Spring Framework 安全特征问题漏洞

VMware Spring Framework is an open-source Java/JavaEE application framework developed by VMware, Inc. This framework helps developers build high-quality applications. Versions of VMware Spring Framework from 7.0.0 to 7.0.7, 6.2.0 to 6.2.18, 6.1.0 to 6.1.27, and 5.3.0 to 5.3.48 contain security...

CVE-2026-8077

CVE-2026-8077 concerns the CashDro 3 web administration panel (v24.01.00.26). The issue is a lack of proper authorization in the backend, with security effectively handled only on the frontend. By altering the binary string in the ‘Permissions’ field of the JSON response, an attacker could escala...

CVE-2026-27681

CVE-2026-27681 is an SQL injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse caused by insufficient authorization checks. An authenticated user can submit crafted SQL statements to read, modify, and delete data, affecting confidentiality, integrity, and a...

WordPress plugin Wp Ultimate Review 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

OpenClaw Access Control Error Vulnerability (CNVD-2026-16624)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. A security vulnerability exists in versions prior to OpenClaw 2026.3.12 that stems from a weak authorization issue in the Zalouser whitelisting schema that matches variable group display names instead of stable group...

CVE-2026-32975

OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages...

CVE-2026-32975 OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist

OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages...

CVE-2026-32975

OpenClaw before 2026.3.12 exposes a weak authorization issue in Zalouser allowlist mode: the system matches mutable group display names rather than stable group identifiers, allowing attackers to craft groups with identical names to bypass channel authorization and route messages from unintended ...

CVE-2026-32975 OpenClaw < 2026.3.12 - Weak Authorization via Mutable Group Names in Zalouser Allowlist

OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can create groups with identical names to allowlisted groups to bypass channel authorization and route messages...

Improper Access Control

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to insufficient authorization checks, which allows an anonymous attacker to access private user projects...

EUVD-2025-208374

Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates...

CVE-2025-41765

Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and...

EUVD-2025-208331

Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 Linux, macOS, Windows before build 41186, Acronis Cyber Protect Cloud Agent Linux, macOS, Windows before build 41124...

WordPress plugin AJS Footnotes 跨站脚本漏洞

WordPress AJS Footnotes plugin is a plugin for WordPress designed to add aesthetically pleasing footnote features to posts or pages. The WordPress AJS Footnotes plugin suffers from a cross-site scripting vulnerability that stems from the lack of valid filtering and escaping of notelistclass and...

CVE-2025-14082

A flaw was found in Keycloak Admin REST Representational State Transfer API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/realm/roles endpoint. Mitigation Mitigation for this issue is either not available or...