Export limit exceeded: 10408 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10408 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-34766 | 2 Electron, Electronjs | 2 Electron, Electron | 2026-04-09 | 3.3 Low |
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8. | ||||
| CVE-2026-39664 | 2 Leadrebel, Wordpress | 2 Leadrebel, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadrebel: from n/a through <= 1.0.2. | ||||
| CVE-2026-39662 | 2 Prowcplugins, Wordpress | 2 Product Price By Formula For Woocommerce, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in ProWCPlugins Product Price by Formula for WooCommerce product-price-by-formula-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Price by Formula for WooCommerce: from n/a through <= 2.5.6. | ||||
| CVE-2026-39659 | 2 Ultimatemember, Wordpress | 2 Ultimate Member, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in Ultimate Member Ultimate Member ultimate-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Member: from n/a through <= 2.11.3. | ||||
| CVE-2026-39657 | 2 Leadlovers, Wordpress | 2 Leadlovers Forms, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through <= 1.0.2. | ||||
| CVE-2026-39652 | 2 Igms, Wordpress | 2 Igms Direct Booking, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in igms iGMS Direct Booking igms-direct-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iGMS Direct Booking: from n/a through <= 1.3. | ||||
| CVE-2026-39650 | 2 Unitech Web, Wordpress | 2 Unitechpay, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through <= 1.0.2. | ||||
| CVE-2026-39648 | 2 Themebeez, Wordpress | 2 Cream Blog, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in themebeez Cream Blog cream-blog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cream Blog: from n/a through <= 2.1.7. | ||||
| CVE-2026-39644 | 2 Roxnor, Wordpress | 2 Wp Ultimate Review, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wp Ultimate Review: from n/a through <= 2.3.8. | ||||
| CVE-2026-39639 | 2 Redpixelstudios, Wordpress | 2 Rps Include Content, Wordpress | 2026-04-09 | 6.5 Medium |
| Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through <= 1.2.2. | ||||
| CVE-2026-22682 | 1 Hkuds | 1 Openharness | 2026-04-09 | 7.1 High |
| OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode. | ||||
| CVE-2026-35490 | 1 Dgtlmoon | 1 Changedetection.io | 2026-04-09 | 9.8 Critical |
| changedetection.io is a free open source web page change detection tool. Prior to 0.54.8, the @login_optionally_required decorator is placed before (outer to) @blueprint.route() instead of after it. In Flask, @route() must be the outermost decorator because it registers the function it receives. When the order is reversed, @route() registers the original undecorated function, and the auth wrapper is never in the call chain. This silently disables authentication on these routes. This vulnerability is fixed in 0.54.8. | ||||
| CVE-2026-1752 | 1 Gitlab | 1 Gitlab | 2026-04-09 | 4.3 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API. | ||||
| CVE-2026-33461 | 1 Elastic | 1 Kibana | 2026-04-09 | 7.7 High |
| Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. | ||||
| CVE-2026-33460 | 1 Elastic | 1 Kibana | 2026-04-09 | 4.3 Medium |
| Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. | ||||
| CVE-2026-34782 | 1 Zammad | 1 Zammad | 2026-04-09 | N/A |
| Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4. | ||||
| CVE-2026-33866 | 1 Mlflow | 1 Mlflow | 2026-04-09 | N/A |
| MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1 | ||||
| CVE-2026-4326 | 2 Webilia, Wordpress | 2 Vertex Addons For Elementor, Wordpress | 2026-04-09 | 8.8 High |
| The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails — it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress. | ||||
| CVE-2026-21721 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-04-09 | 8.1 High |
| The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation. | ||||
| CVE-2026-21722 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-04-09 | 5.3 Medium |
| Public dashboards with annotations enabled did not limit their annotation timerange to the locked timerange of the public dashboard. This means one could read the entire history of annotations visible on the specific dashboard, even those outside the locked timerange. This did not leak any annotations that would not otherwise be visible on the public dashboard. | ||||