Search Results (11847 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-48544 1 Ledvance 1 Sylvania Smart Home Firmware 2026-04-15 8.4 High
Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVE-2024-44765 1 Mgt-commerce 1 Cloudpanel 2026-04-15 6.5 Medium
An Improper Authorization (Access Control Misconfiguration) vulnerability in MGT-COMMERCE GmbH CloudPanel v2.0.0 to v2.4.2 allows low-privilege users to bypass access controls and gain unauthorized access to sensitive configuration files and administrative functionality.
CVE-2024-38392 2026-04-15 9.1 Critical
Pexip Infinity Connect before 1.13.0 lacks sufficient authenticity checks during the loading of resources, and thus remote attackers can cause the application to run untrusted code.
CVE-2024-13637 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
The Demo Awesome plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin function in all versions up to, and including, 1.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins..
CVE-2025-14540 2 Userback, Wordpress 2 Userback, Wordpress 2026-04-15 4.3 Medium
The Userback plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the userback_get_json function in all versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract plugin's configuration data including the Userback API access token and site's posts/pages contents, including those that have private and draft status.
CVE-2024-13529 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
The SocialV - Social Network and Community BuddyPress Theme theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'socialv_send_download_file' function in all versions up to, and including, 2.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download arbitrary files from the target system.
CVE-2025-12149 1 Search-guard 1 Search Guard 2026-04-15 N/A
In Search Guard FLX versions 3.1.2 and earlier, while Document-Level Security (DLS) is correctly enforced elsewhere, when the search is triggered from a Signals watch, the DLS rule is not enforced, allowing access to all documents in the queried indices.
CVE-2025-54554 1 Ticrypt Project 1 Ticrypt 2026-04-15 5.3 Medium
tiaudit in Tera Insights tiCrypt before 2025-07-17 allows unauthenticated REST API requests that reveal sensitive information about the underlying SQL queries and database structure.
CVE-2024-9902 1 Redhat 6 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 3 more 2026-04-15 6.3 Medium
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
CVE-2024-11840 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or conduct SQL injection attacks.
CVE-2024-11401 1 Rapid7 1 Insight Platform 2026-04-15 N/A
Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024.
CVE-2024-48778 1 Giant Manufacturing 1 Ridelink Firmware 2026-04-15 9.1 Critical
An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker to obtain sensitive information via the firmware update process.
CVE-2023-40327 2026-04-15 6.5 Medium
Missing Authorization vulnerability in Putler / Storeapps Putler Connector for WooCommerce.This issue affects Putler Connector for WooCommerce: from n/a through 2.12.0.
CVE-2021-26387 2026-04-15 3.9 Low
Insufficient access controls in ASP kernel may allow a privileged attacker with access to AMD signing keys and the BIOS menu or UEFI shell to map DRAM regions in protected areas, potentially leading to a loss of platform integrity.
CVE-2025-12817 1 Postgresql 1 Postgresql 2026-04-15 3.1 Low
Missing authorization in PostgreSQL CREATE STATISTICS command allows a table owner to achieve denial of service against other CREATE STATISTICS users by creating in any schema. A later CREATE STATISTICS for the same name, from a user having the CREATE privilege, would then fail. Versions before PostgreSQL 18.1, 17.7, 16.11, 15.15, 14.20, and 13.23 are affected.
CVE-2025-12350 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
The DominoKit plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_ajax_nopriv_dominokit_option_admin_action AJAX endpoint in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to update plugin settings.
CVE-2025-11758 2 Codebangers, Wordpress 2 All In One Time Clock Lite, Wordpress 2026-04-15 6.5 Medium
The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).
CVE-2025-12156 2 Aitool, Wordpress 2 Ai Auto Tool Content Writing Assistant, Wordpress 2026-04-15 4.3 Medium
The Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_post_data() function in versions 2.0.7 to 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create and publish arbitrary posts.
CVE-2025-64369 2 Codepeople, Wordpress 2 Contact Form Email, Wordpress 2026-04-15 6.5 Medium
Missing Authorization vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.58.
CVE-2019-25237 2026-04-15 9.8 Critical
V-SOL GPON/EPON OLT Platform v2.03 contains a privilege escalation vulnerability that allows normal users to gain administrative access by manipulating the user role parameter. Attackers can send a crafted HTTP POST request to the user management endpoint with 'user_role_mod' set to integer value '1' to elevate their privileges.