Search Results (8427 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-10616 1 Nextlevelbuilder 1 Goclaw 2026-06-03 4.3 Medium
A weakness has been identified in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function TeamTasksTool.executeComplete of the file internal/tools/team_tasks_lifecycle.go of the component Team Task Completion Handler. Executing a manipulation can lead to missing authorization. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project tagged the reported issue as bug.
CVE-2022-0492 6 Canonical, Debian, Fedoraproject and 3 more 39 Ubuntu Linux, Debian Linux, Fedora and 36 more 2026-06-03 7.8 High
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
CVE-2024-6406 2026-06-03 N/A
Missing Authentication for Critical Function, Missing Authorization vulnerability in Yordam Information Technology Mobile Library Application allows Retrieve Embedded Sensitive Data. This issue affects Mobile Library Application: before 5.0.
CVE-2026-44409 1 Zte 2 Mu5250, Mu5250 Firmware 2026-06-03 5.7 Medium
There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure.
CVE-2026-42677 2 Ben Balter, Wordpress 2 Wp Document Revisions, Wordpress 2026-06-02 7.5 High
Missing Authorization vulnerability in Ben Balter WP Document Revisions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Document Revisions: from n/a before 4.0.0.
CVE-2026-45267 1 Nextcloud 1 Forms 2026-06-02 6.5 Medium
Nextcloud is an open source content collaboration platform. Prior to version 5.2.6, a missing permissions check allowed users to request reading form submissions of other users. This issue has been patched in version 5.2.6.
CVE-2026-9234 2 Ntbyk, Wordpress 2 Jtl-connector For Woocommerce, Wordpress 2026-06-02 4.3 Medium
The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the admin_post_settings_save_woo-jtl-connector action (handled by JtlConnectorAdmin::save()) and on the wp_ajax_downloadJTLLogs and wp_ajax_clearJTLLogs AJAX actions (handled by the global downloadJTLLogs() and clearJTLLogs() functions). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings, download a ZIP archive of the connector's developer log files, and delete those log files.
CVE-2025-52766 2 Printeers, Wordpress 2 Printeers Print & Ship, Wordpress 2026-06-02 6.5 Medium
Missing Authorization vulnerability in Printeers Printeers Print & Ship allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Printeers Print & Ship: from n/a through 1.17.0.
CVE-2025-53302 2 Anton Shevchuk, Wordpress 2 Constructor, Wordpress 2026-06-02 5.3 Medium
Missing Authorization vulnerability in Anton Shevchuk Constructor allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Constructor: from n/a through 1.6.5.
CVE-2025-53345 2 Thimpress, Wordpress 2 Thim Core, Wordpress 2026-06-02 8.8 High
Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3.
CVE-2025-53346 2 Thimpress, Wordpress 2 Thim Core, Wordpress 2026-06-02 4.3 Medium
Missing Authorization vulnerability in ThimPress Thim Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thim Core: from n/a through 2.3.3.
CVE-2026-42670 2 Etoile Web Design Incorporated, Wordpress 2 Five Star Restaurant Reservations, Wordpress 2026-06-02 7.5 High
Missing Authorization vulnerability in Etoile Web Design Incorporated Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Reservations: from n/a through 2.7.14.
CVE-2026-27351 2 Sekander Badsha, Wordpress 2 Crew Hrm, Wordpress 2026-06-02 5.4 Medium
Missing Authorization vulnerability in Sekander Badsha Crew HRM allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crew HRM: from n/a through 1.2.2.
CVE-2026-8382 2 Wordpress, Wpengine 2 Wordpress, Advanced Custom Fields 2026-06-02 5.3 Medium
The Advanced Custom Fields (ACF®) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.8.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the post_title and post_content of any post bound to a publicly accessible acf_form() instance by injecting values into the _post_title and _post_content parameters of a form submission request.
CVE-2026-34154 1 Discourse 1 Discourse 2026-06-02 5.3 Medium
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1.
CVE-2026-28380 1 Grafana 1 Grafana 2026-06-02 6.5 Medium
Any Editor could delete any snapshot, even if they have no access to read or write them.
CVE-2026-41014 1 Apache 1 Airflow 2026-06-02 4.3 Medium
The partitioned_dag_runs endpoints in the Airflow UI enforced only asset-level access control, not per-Dag authorization. An authenticated UI/API user with global Asset:read permission could enumerate partition run state, schedule configuration, and asset wiring for Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping while granting users broader Asset access. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.
CVE-2026-35443 1 Namelessmc 1 Nameless 2026-06-02 N/A
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/classes/ForumPostReactionContext.php` only verifies that the caller can view the forum, but it does not re-enforce topic-level `view_other_topics` authorization. As a result, in forums where users may enter the forum but may only view their own topics, reactions can still be read and modified on other users' topics. Version 2.2.5 fixes the issue.
CVE-2026-40314 1 Namelessmc 1 Nameless 2026-06-02 N/A
NamelessMC is website software for Minecraft servers. In version 2.2.4,`core/classes/Misc/ProfilePostReactionContext.php` only verifies that the wall post exists and does not enforce blocked/private-profile visibility. `modules/Core/queries/reactions.php` allows unauthenticated GET requests for reaction details. This means that unauthenticated visitors can read reaction participants and timestamps for private profile posts and uthenticated low-privileged users can add reactions to private or blocking profile posts. Version 2.2.5 fixes the issue.
CVE-2026-39831 1 Golang 2 Crypto, Ssh 2026-06-02 9.1 Critical
The Verify() method for FIDO/U2F security key types ([email protected], [email protected]) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.