| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1. |
| A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges. |
| The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user's authorized branch. |
| The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches. |
| Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. |
| Subscriber Broken Access Control in bunny.net <= 2.3.6 versions. |
| Subscriber Broken Access Control in Bookify <= 1.1.1 versions. |
| Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions. |
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. |
| Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions. |
| Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions. |
| Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions. |
| Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions. |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions. |
| Subscriber Broken Access Control in Amelia <= 2.2 versions. |
| Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. |
| Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions. |
| Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions. |
| Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions. |
| Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions. |