Export limit exceeded: 11530 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (11530 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-24611 2 Wordpress, Wpmet 2 Wordpress, Metform Pro 2026-06-17 9.1 Critical
Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.
CVE-2026-24610 2 Wordpress, Wpmet 2 Wordpress, Metform Pro 2026-06-17 4.3 Medium
Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions.
CVE-2026-39595 2 Boldgrid, Wordpress 2 W3 Total Cache, Wordpress 2026-06-17 4.7 Medium
Author Broken Access Control in W3 Total Cache <= 2.9.1 versions.
CVE-2026-40723 2 Bricks, Wordpress 2 Bricks Builder, Wordpress 2026-06-17 4.3 Medium
Subscriber Broken Access Control in Bricks Builder <= 2.1.4 versions.
CVE-2026-24575 2 Wishlist Member, Wordpress 2 Wishlist Member X, Wordpress 2026-06-17 4.3 Medium
Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions.
CVE-2024-32949 2 Prince, Wordpress 2 Integrate Google Drive, Wordpress 2026-06-17 8.3 High
Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through 1.3.8.
CVE-2024-33909 2 Avirtum, Wordpress 2 Ipages Flipbook, Wordpress 2026-06-17 5.3 Medium
Missing Authorization vulnerability in Avirtum iPages Flipbook allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iPages Flipbook: from n/a through 1.5.1.
CVE-2026-26237 2 Qnap, Qnap Systems 2 Qumagie, Qumagie 2026-06-17 7.5 High
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
CVE-2026-26236 2 Qnap, Qnap Systems 2 Qumagie, Qumagie 2026-06-17 7.5 High
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later
CVE-2026-24724 2 Qnap, Qnap Systems 2 File Station, File Station 5 2026-06-17 8.1 High
An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later
CVE-2026-53851 1 Openclaw 1 Openclaw 2026-06-16 5.3 Medium
OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input.
CVE-2026-53844 1 Openclaw 1 Openclaw 2026-06-16 6.5 Medium
OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session.
CVE-2026-53853 1 Openclaw 1 Openclaw 2026-06-16 8.3 High
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution.
CVE-2026-53850 1 Openclaw 1 Openclaw 2026-06-16 5.5 Medium
OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels.
CVE-2026-44173 1 Mariadb 2 Mariadb, Server 2026-06-16 5 Medium
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
CVE-2026-53860 1 Openclaw 1 Openclaw 2026-06-16 4.2 Medium
OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent responses intended for configured senders, potentially bypassing access controls.
CVE-2026-34892 2 Rank Math Seo, Wordpress 2 Rank Math Seo, Wordpress 2026-06-16 6.5 Medium
Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.
CVE-2026-39584 2 Webful Creations, Wordpress 2 Repairbuddy, Wordpress 2026-06-16 6.5 Medium
Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions.
CVE-2026-2381 2 Woocommerce, Wordpress 2 Stripe Payment Gateway, Wordpress 2026-06-16 6.5 Medium
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
CVE-2026-42851 1 Kovidgoyal 1 Kitty 2026-06-16 7.8 High
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an email body rendered in `less`, an issue body in a TUI, etc. — can cause kitty to execute attacker-supplied Python inside the running kitty process, with the user's full privileges. There is no approval prompt, no remote-control permission requirement, no shell-integration interaction, no clipboard touch, and no editor interaction. Version 0.47.0 fixes the issue.