Search Results (11850 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-42914 1 Sap 1 Fiori 2026-04-15 3.1 Low
Due to missing authorization checks, SAP HCM My Timesheet Fiori 2.0 application allows an authenticated attacker with in-depth system knowledge to escalate privileges and perform activities that are otherwise restricted, resulting in a low impact on the integrity of the application. Confidentiality and availability are not impacted.
CVE-2025-42915 1 Sap 1 Fiori 2026-04-15 5.4 Medium
Fiori app Manage Payment Blocks does not perform the necessary authorization checks, allowing an attacker with basic user privileges to abuse functionalities that should be restricted to specific user groups.This issue could impact both the confidentiality and integrity of the application without affecting the availability.
CVE-2025-42917 1 Sap 1 Fiori 2026-04-15 6.5 Medium
SAP HCM Approve Timesheets Fiori 2.0 application does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This issue has a significant impact on the application's integrity, while confidentiality and availability remain unaffected.
CVE-2025-4563 1 Kubernetes 1 Kubernetes 2026-04-15 2.7 Low
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
CVE-2025-43922 1 Filewave 1 Filewave 2026-04-15 8.1 High
The FileWave Windows client before 16.0.0, in some non-default configurations, allows an unprivileged local user to escalate privileges to SYSTEM.
CVE-2024-9234 1 Wpmet 1 Gutenkit 2026-04-15 9.8 Critical
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.
CVE-2024-9824 2026-04-15 4.3 Medium
The ImagePress – Image Gallery plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'ip_delete_post' and 'ip_update_post_title' functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts and update post titles.
CVE-2024-9825 2026-04-15 5.4 Medium
The Chef Habitat builder-api on-prem-builder package  with any version lower than habitat/builder-api/10315/20240913162802 is vulnerable to indirect object reference (IDOR) by un-authorized deletion of personal token.  Habitat builder consumes builder-api habitat package as a dependency and the vulnerability was specifically due to builder-api habitat package. The fix was made available in habitat/builder-api/10315/20240913162802 and all the subsequent versions after that. We would recommend user to always use on-prem stable channel.
CVE-2024-9860 1 Qode 1 Bridge Core 2026-04-15 5.4 Medium
The Bridge Core plugin for WordPress is vulnerable to unauthorized modification of data or loss of data due to a missing capability check on the 'import_action' and 'install_plugin_per_demo' functions in versions up to, and including, 3.3. This makes it possible for authenticated attackers with subscriber-level permissions or above, to delete or change plugin settings, import demo data, and install limited plugins.
CVE-2024-9891 1 Wordpress 1 Wordpress 2026-04-15 4.3 Medium
The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site.
CVE-2025-0580 1 Opencart 1 Opencart 2026-04-15 5.6 Medium
A vulnerability was found in Shiprocket Module 3 on OpenCart. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?route=extension/module/rest_api&action=getOrders of the component REST API Module. The manipulation of the argument contentHash leads to incorrect authorization. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2025-10015 1 Sparkle-project 1 Sparkle 2026-04-15 N/A
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation of connecting client allows the attacker to copy TCC-protected files to an arbitrary location. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 2.7.2
CVE-2025-10016 1 Sparkle-project 1 Sparkle 2026-04-15 N/A
The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results in local privilege escalation to root privileges. It is worth noting that it is possible to spawn Autopudate manually via Installer XPC service. However this requires the victim to enter credentials upon system authorization dialog creation that can be modified by the attacker. This issue was fixed in version 2.7.2
CVE-2025-69361 2 Publishpress, Wordpress 2 Post Expirator, Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3.
CVE-2025-1091 2026-04-15 4.3 Medium
A Broken Authorization schema exists where any authenticated user could download IOA script and configuration files if the URL is known.
CVE-2025-69336 2 Bdthemes, Wordpress 2 Utlimate Store Kit Elementor Addons, Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.9.4.
CVE-2025-11060 1 Redhat 1 Service Mesh 2026-04-15 5.7 Medium
A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or guest users to observe unauthorized records within the same table, bypassing access controls, via crafted LIVE SELECT subscriptions when other users alter or delete records.
CVE-2025-69331 2 Jeroen Schmit, Wordpress 2 Theater For Wordpress, Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.19.
CVE-2025-69315 2 Nsquared, Wordpress 2 Simply Schedule Appointments, Wordpress 2026-04-15 6.5 Medium
Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15.
CVE-2025-69313 2 Wordpress, Wpxpo 2 Wordpress, Postx 2026-04-15 7.5 High
Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3.