Search Results (11532 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-57645 2 Tribulant, Wordpress 2 Newsletters, Wordpress 2026-06-29 8.1 High
newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions.
CVE-2026-57649 2 Studiowombat, Wordpress 2 Shoppable Images, Wordpress 2026-06-29 4.3 Medium
Subscriber Broken Access Control in Shoppable Images Lite <= 1.3 versions.
CVE-2026-57660 2 Magepeople, Wordpress 2 Booking & Rental Manager, Wordpress 2026-06-29 5.3 Medium
Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions.
CVE-2026-12404 2 Webaways, Wordpress 2 Nex-forms-ultimate-forms-plugin, Wordpress 2026-06-29 5.3 Medium
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data — including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths — for any saved report on the site.
CVE-2026-13508 2 Khoj, Khoj-ai 2 Khoj, Khoj 2026-06-29 5.5 Medium
A flaw has been found in khoj-ai khoj up to 2.0.0-beta.28. This impacts an unknown function of the file src/khoj/routers/api_chat.py of the component Conversation Sharing Handler. This manipulation of the argument conversation.agent causes incorrect authorization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.
CVE-2026-9233 2 Expresstech, Wordpress 2 Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker, Wordpress 2026-06-29 4.3 Medium
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create, modify, and delete quiz output templates stored in the mlw_quiz_output_templates database table, including storing unsanitized HTML content such as arbitrary script tags.
CVE-2026-27366 2 Mainwp, Wordpress 2 Mainwp Child, Wordpress 2026-06-29 7.5 High
Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.
CVE-2026-54830 2 Etoile Web Design Incorporated, Wordpress 2 Five Star Restaurant Reservations, Wordpress 2026-06-29 7.5 High
Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions.
CVE-2026-54844 2 Checkview, Wordpress 2 Checkview Automated Testing, Wordpress 2026-06-29 7.5 High
Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions.
CVE-2026-44735 1 Opf 1 Openproject 2026-06-29 6.5 Medium
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package. This allows a regular project member to discover work package IDs and subjects (including confidential titles), which users have been granted shared access, what role level was assigned (Editor, Commenter, Viewer). This vulnerability is fixed in 17.3.2 and 17.4.0.
CVE-2026-55189 1 Rustfs 1 Rustfs 2026-06-29 7.7 High
RustFS is a distributed object storage system built in Rust. From 1.0.0-alpha.1 until 1.0.0-beta.9, when the FTP frontend is enabled, the FTP read and probe handlers dispatch directly to the storage backend without ever calling the IAM authorization function that the FTP write/list handlers (and the entire HTTP S3 path) use. As a result, any user who can authenticate to the FTP listener — including a user whose IAM policy contains an explicit Deny on s3:GetObject — can read (RETR) and stat (SIZE/MDTM) any object in any bucket, and probe any bucket (CWD), completely regardless of their IAM policy. This vulnerability is fixed in 1.0.0-beta.9.
CVE-2026-52779 1 Opf 1 Openproject 2026-06-29 5.4 Medium
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.
CVE-2026-56061 2 Wordpress, Wp Swings 2 Wordpress, Subscriptions For Woocommerce 2026-06-29 7.5 High
Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions.
CVE-2026-57648 2 Nelio Software, Wordpress 2 Nelio Content, Wordpress 2026-06-29 4.3 Medium
Contributor Broken Access Control in Nelio Content <= 4.3.4 versions.
CVE-2026-57654 2 Wordpress, Wp.insider 2 Wordpress, Affiliates Manager 2026-06-29 6.5 Medium
Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions.
CVE-2026-50137 1 Budibase 1 Budibase 2026-06-29 N/A
Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint with no auth and obtain a 15-minute pre-signed PUT URL minted on the victim's IAM identity. The endpoint also returns the publicUrl so the attacker knows exactly where their PUT lands. Because bucket is attacker-controlled, the attacker can write to any bucket those IAM credentials can write to, not only the bucket the datasource was configured for. The Budibase server route POST /api/attachments/:datasourceId/url (packages/server/src/api/routes/static.ts) is registered with only the recaptcha middleware. There is no authorized(...) middleware in the chain. The controller (packages/server/src/api/controllers/static/index.ts::getSignedUploadURL) looks the requested datasource up, instantiates an AWS S3 client with the datasource's stored accessKeyId / secretAccessKey, and returns an AWS Signature V4 pre-signed PutObjectCommand URL for the caller-supplied bucket and key. The bucket is not pinned to the datasource's configured bucket. The workspace context required by sdk.datasources.get is sourced by getWorkspaceIdFromCtx (packages/backend-core/src/utils/utils.ts) from any of: the x-budibase-app-id header, the JSON body appId, a path segment that begins with the workspace prefix, or ?appId=. auth.buildAuthMiddleware([], { publicAllowed: true }) runs before any of this and explicitly allows anonymous requests. The currentWorkspace middleware's "deny access to dev preview" branch only triggers under isBrowser(ctx) && !isApiKey(ctx); isBrowser checks the parsed User-Agent for a recognised browser, so any non-browser client (curl, the supplied PoC, any tool not setting a browser UA) is neither and reaches dev workspaces too. This vulnerability is fixed in 3.39.0.
CVE-2026-49991 1 Rustfs 1 Rustfs 2026-06-29 8.6 High
RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.4, authenticated users with only PutObject permission on their own bucket can exploit a path traversal vulnerability in the Snowball auto-extract feature to write arbitrary objects into other users' buckets, completely breaking multi-tenant isolation. The vulnerability chains three flaws: No ../ sanitization in tar entry key normalization; IAM wildcard matching uses raw (uncleaned) paths; and Filesystem path cleaning resolves ../ across bucket boundaries.
CVE-2025-2902 1 Hitachi 27 5100, 5100h, 5200 and 24 more 2026-06-29 8.3 High
Improper Authorization Vulnerability of Maintenance Utility in Hitachi Virtual Storage Platform. This issue affects Hitachi Virtual Storage Platform E390, E590, E790, E990, E1090, E390H, E590H, E790H, E1090H: before DKCMAIN Ver. 93-07-26-xx/00, GUM Ver. 93-07-26/00; Hitachi Virtual Storage Platform 5100, 5500, 5100H, 5500H, 5200, 5600, 5200H, 5600H: before DKCMAIN Ver. 90-09-27-00/00, GUM Ver. 90-09-27/00; Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900: before DKCMAIN Ver. 88-08-16-xx/00, GUM Ver. 88-08-20/00.
CVE-2026-58056 1 Rustdesk 1 Rustdesk 2026-06-29 7.6 High
RustDesk gates incoming control messages on per-capability flags rather than on the session's authorized connection type, and a file-transfer session does not clear those flags. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input and reach the unguarded screenshot and display-capture handlers, acting outside its granted scope.
CVE-2026-13537 1 Codeastro 1 Human Resource Management System 2026-06-29 4.3 Medium
A vulnerability was found in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function. The manipulation results in cross-site request forgery. The attack may be launched remotely. The exploit has been made public and could be used.