Search Results (11569 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-46549 1 Nocodb 1 Nocodb 2026-06-24 2 Low
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the OAuth token strategy attached oauth_scope and oauth_granted_resources to the request user, but the ACL middleware never consulted either. An OAuth token issued with a restricted scope (e.g. MCP-only) therefore inherited the full permissions of the underlying user across all routes; the granted_resources.base_id restriction was bypassed on org-level endpoints that don't populate req.context.base_id. This vulnerability is fixed in 2026.04.1.
CVE-2026-10609 1 Redhat 2 Logging, Logging Subsystem For Red Hat Openshift 2026-06-23 6.8 Medium
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrate SA tokens and escalate privileges.
CVE-2026-34023 1 Wertheim 1 Safecontroller Software For Vault Rooms (safe Deposit Locker System) 2026-06-23 N/A
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains an incorrect authorization vulnerability in the WebSocket communication used by the SafeController WebMessageBroker. An authenticated attacker with valid low-privileged branch user credentials can manipulate WebSocket messages by specifying controller identifiers belonging to other branches. This allows the attacker to access restricted functions and resources in other branches, including activating boxes outside of the user's authorized branch.
CVE-2026-34024 1 Wertheim 1 Safecontroller Software For Vault Rooms (safe Deposit Locker System) 2026-06-23 N/A
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches.
CVE-2026-5230 1 Mia Technology 1 Pizzy Library 2026-06-23 7.1 High
Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250.
CVE-2025-68049 2 Bunny.net, Wordpress 2 Bunny.net, Wordpress 2026-06-23 6.3 Medium
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.
CVE-2025-69332 2 Mycred, Wordpress 2 Bookify, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
CVE-2026-25425 2 Themegrill, Wordpress 2 User Registration, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.
CVE-2026-34898 2 Wordpress, Wp Swings 2 Wordpress, Event Tickets Manager For Woocommerce 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
CVE-2026-39525 2 Booking Activities Team, Wordpress 2 Booking Activities, Wordpress 2026-06-23 6.5 Medium
Unauthenticated Broken Access Control in Booking Activities <= 1.16.48.1 versions.
CVE-2026-39594 2 Themefic, Wordpress 2 Ultra Addons For Wpforms, Wordpress 2026-06-23 6.4 Medium
Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions.
CVE-2026-40741 2 Jose Conti, Wordpress 2 Redsys For Woocommerce Light, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions.
CVE-2026-40775 2 Royal Plugins, Wordpress 2 Royal Mcp, Wordpress 2026-06-23 7.3 High
Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions.
CVE-2026-40776 2 Arraytics, Wordpress 2 Wp Event Solution, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions.
CVE-2026-40795 2 Tms, Wordpress 2 Amelia, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Amelia <= 2.2 versions.
CVE-2026-42664 2 Motive Commerce Search, Wordpress 2 Ai Product Search For Woocommerce – Motive Commerce Search, Wordpress 2026-06-23 8.2 High
Unauthenticated Broken Access Control in AI Product Search for WooCommerce &#8211; Motive Commerce Search <= 1.38.2 versions.
CVE-2026-42666 2 Dimitri Grassi, Wordpress 2 Salon Booking System, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Salon booking system <= 10.30.25 versions.
CVE-2026-48835 2 Awesomemotive, Wordpress 2 Contact Form By Wpforms, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
CVE-2026-48887 2 Ahmad, Wordpress 2 Js Help Desk, Wordpress 2026-06-23 6.5 Medium
Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.
CVE-2026-49070 2 Knit Pay, Wordpress 2 Knit Pay, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.