Search Results (11571 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-33685 2 Jegstudio, Wordpress 2 Startupzy, Wordpress 2026-06-20 4.3 Medium
Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Startupzy: from n/a through 1.1.1.
CVE-2024-31435 2 Inisev, Wordpress 2 Social Media & Share Icons, Wordpress 2026-06-20 4.3 Medium
: Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Social Media & Share Icons: from n/a through 2.8.6.
CVE-2026-11858 1 Quanos Solutions 1 Schema St4 2026-06-20 N/A
Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation.
CVE-2024-37210 2 Ali2woo, Wordpress 2 Alinext, Wordpress 2026-06-20 6.5 Medium
Missing Authorization vulnerability in ali2woo AliNext allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AliNext: from n/a through 3.3.5.
CVE-2024-37496 2 Rara Themes, Wordpress 2 Metro Magazine, Wordpress 2026-06-20 4.3 Medium
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.3.7.
CVE-2025-69189 2 Emv, Wordpress 2 Jobbank, Wordpress 2026-06-20 7.3 High
Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects JobBank: from n/a through 1.2.3.
CVE-2026-54810 2 Nexi Payments, Wordpress 2 Nexi Xpay, Wordpress 2026-06-20 7.5 High
Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1.
CVE-2026-10029 2 Eventkoi, Wordpress 2 Event Koi Lite – Events Calendar, Event Management, Rsvp, And Tickets, Wordpress 2026-06-20 5.3 Medium
The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the get_events. This makes it possible for unauthenticated attackers to extract sensitive data including virtual meeting URLs, physical location data, latitude/longitude coordinates, Google Maps links, and RSVP configuration belonging to draft, pending, and private events that are otherwise inaccessible via public URLs.
CVE-2026-11719 1 Google 1 Mcp Toolbox For Databases 2026-06-20 N/A
An authenticated authorization bypass vulnerability exists in MCP Toolbox for Databases due to missing scope enforcement across older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol versions (2025-06-18, 2025-03-26, and 2024-11-05) omit this check. An authenticated client with low-privilege tokens (e.g., read) can bypass the intended per-tool scope restrictions and execute high-privilege tools (e.g., admin) simply by specifying an older protocol version in the MCP-Protocol-Version header, or by omitting the header entirely (which causes the server to default to the vulnerable 2024-11-05 handler).
CVE-2026-8935 2 Wordpress, Wp Maps Pro 2 Wordpress, Wp Maps Pro 2026-06-19 9.8 Critical
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
CVE-2026-42357 1 Apache 1 Dolphinscheduler 2026-06-19 6.5 Medium
Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access. This issue affects Apache DolphinScheduler versions prior to 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes this issue.
CVE-2026-0057 1 Google 1 Android 2026-06-18 3.3 Low
In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0092 1 Google 1 Android 2026-06-18 N/A
In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-28615 1 Google 1 Android 2026-06-18 N/A
In Telecomm, there is a possible way to initiate an unauthorized phone call due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2025-48640 1 Google 1 Android 2026-06-18 8 High
In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0071 1 Google 1 Android 2026-06-18 N/A
In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-12105 1 Devolutions 1 Devolutions Server 2026-06-18 6.5 Medium
Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.
CVE-2025-48617 1 Google 1 Android 2026-06-18 7.8 High
In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-0068 1 Google 1 Android 2026-06-18 N/A
In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.
CVE-2026-9199 2 Equalizedigital, Wordpress 2 Equalize Digital Accessibility Checker – Wcag, Ada, Eaa And Section 508 Compliance, Wordpress 2026-06-18 4.3 Medium
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to dismiss, ignore, or restore accessibility audit issue records belonging to posts they are not permitted to edit by supplying an issue from their own post as an authorization token to affect matching issues across the entire site. An Author-level user can exploit this by passing largeBatch=true on a dismiss-issue request referencing one of their own post's issues, causing the handler to bulk-modify all site-wide accessibility issues sharing the same 'object' value — including those belonging to administrator-owned posts.