Export limit exceeded: 357129 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (1763 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13003 | 1 Aksis Technology | 1 Axonboard | 2026-06-04 | 7.6 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc. AxOnboard allows Exploitation of Trusted Identifiers. This issue affects AxOnboard: from 3.2.0 before 3.3.0. | ||||
| CVE-2025-13004 | 2 Farktor, Farktor Software E-commerce Services Inc. | 2 E-commerce Package, E-commerce Package | 2026-06-04 | 6.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables. This issue affects E-Commerce Package: through 27112025. | ||||
| CVE-2025-13124 | 1 Netiket | 1 Applylogic | 2026-06-04 | 7.6 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers. This issue affects ApplyLogic: through 01.12.2025. | ||||
| CVE-2025-13125 | 1 Im Park | 1 Dijidemi | 2026-06-04 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Exploitation of Trusted Identifiers. This issue affects DijiDemi: through 28.11.2025. | ||||
| CVE-2025-13474 | 1 Menulux | 1 Mobile App | 2026-06-04 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers. This issue affects Mobile App: before 9.5.8. | ||||
| CVE-2025-14101 | 1 Gg Soft | 1 Paperwork | 2026-06-04 | 7.1 High |
| Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers. This issue affects PaperWork: from 5.2.0.9427 before 6.0. | ||||
| CVE-2026-37978 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-06-03 | 4.9 Medium |
| A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API. | ||||
| CVE-2026-4630 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-06-03 | 6.8 Medium |
| A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data. | ||||
| CVE-2026-45281 | 1 Nextcloud | 1 Nextcloud Server | 2026-06-03 | 8.1 High |
| Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23 | ||||
| CVE-2026-23638 | 2 Accellion, Kiteworks | 2 Kiteworks, Secure Data Forms | 2026-06-03 | 6.5 Medium |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | ||||
| CVE-2026-24753 | 2 Accellion, Kiteworks | 2 Kiteworks, Secure Data Forms | 2026-06-03 | 6.5 Medium |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | ||||
| CVE-2026-24755 | 2 Accellion, Kiteworks | 2 Kiteworks, Secure Data Forms | 2026-06-03 | 5.4 Medium |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | ||||
| CVE-2026-24756 | 2 Accellion, Kiteworks | 2 Kiteworks, Secure Data Forms | 2026-06-03 | 4.3 Medium |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | ||||
| CVE-2026-24761 | 2 Accellion, Kiteworks | 2 Kiteworks, Secure Data Forms | 2026-06-03 | 3.7 Low |
| Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch. | ||||
| CVE-2024-5619 | 1 Apinizer | 1 Apinizer | 2026-06-03 | 9.6 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in PruvaSoft Informatics Apinizer Management Console allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Apinizer Management Console: before 2024.05.1. | ||||
| CVE-2026-45155 | 1 Nextcloud | 1 Circles | 2026-06-02 | 2.6 Low |
| Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by default this is still unlikely to be executable at will, but if access to an ID was available via another source, memberships could be tracked like this. It is recommended that the Nextcloud Server is upgraded to 32.0.7 or 33.0.1. It is recommended that the Nextcloud Enterprise Server is upgraded to 29.0.16.14, 30.0.17.8, 31.0.14.3, 32.0.7 or 33.0.1 | ||||
| CVE-2026-45159 | 1 Nextcloud | 1 End To End Encryption | 2026-06-02 | 3.5 Low |
| Nextcloud is an open source content collaboration platform. From versions 1.15.0 to before 1.15.4, 1.16.0 to before 1.16.3, 1.17.0 to before 1.17.1, and 1.18.0 to before 1.18.1, a malicious user with access to an end-to-end encrypted files drop link was able to also drop files into other end-to-end encrypted folders of the share owner. Reading and modifying of other files was not possible. This issue has been patched in versions 1.15.4, 1.16.3, 1.17.1, 1.18.1, and 2.0.0-rc.7. | ||||
| CVE-2026-28380 | 1 Grafana | 1 Grafana | 2026-06-02 | 6.5 Medium |
| Any Editor could delete any snapshot, even if they have no access to read or write them. | ||||
| CVE-2026-9087 | 1 Redhat | 2 Build Keycloak, Build Of Keycloak | 2026-06-02 | 6.4 Medium |
| A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account. | ||||
| CVE-2026-41084 | 1 Apache | 1 Airflow | 2026-06-02 | 7.5 High |
| A bug in Apache Airflow's bulk Task Instances API (`PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances`) evaluated authorization against the `dag_id` resolved from the URL path while operating on the `dag_id` / `dag_run_id` extracted from request-body entity fields. An authenticated UI/API user with edit permission on one Dag could mutate Task Instance state in any other Dag by keeping the authorized Dag's ID in the URL path and naming the target Dag's IDs in the request body entities. Affects deployments that rely on per-Dag edit-scope to keep Task Instance state isolated between teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later. | ||||