Search Results (8433 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-57946 1 Iv-org 1 Invidious 2026-07-01 3.7 Low
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
CVE-2026-57952 1 Its-a-feature 1 Mythic 2026-07-01 5.3 Medium
Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profile configuration including encryption keys and callback parameters.
CVE-2026-54475 1 Apache 3 Activemq, Activemq All, Activemq Broker 2026-07-01 7.5 High
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.
CVE-2026-58167 1 Ccfos 1 Nightingale 2026-07-01 6.5 Medium
Nightingale (n9e) before 9.0.0-beta.2 exposes full datasource configurations, including plaintext database passwords, HTTP bearer tokens, HTTP basic-auth passwords, and mTLS client keys, to any authenticated low-privilege (Standard role) user through POST /api/n9e/datasource/list. The route is registered without an admin authorization gate, unlike the sibling datasource mutation routes, and the open-source DatasourceFilter does not redact secret fields, so the secret-bearing settings, http, and auth objects are serialized in the response. The disclosed credentials enable access to the connected downstream systems.
CVE-2026-58168 1 Hkuds 1 Deeptutor 2026-07-01 8.8 High
DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowed_mcp_tools function returning None instead of a denied result when mcp_tools is omitted from a user's grant in deeptutor/multi_user/tool_access.py. Attackers or prompt-injected content acting within a user session can enumerate and invoke any configured MCP tool, including filesystem, shell, and browser servers, gaining unauthorized access to sensitive deployment resources.
CVE-2026-57339 2 Strategy11team, Wordpress 2 Business Directory Plugin, Wordpress 2026-07-01 6.6 Medium
Unauthenticated Broken Access Control in Business Directory <= 6.4.23 versions.
CVE-2026-57949 1 Yunaiv 1 Ruoyi-vue-pro 2026-07-01 6.5 Medium
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.
CVE-2026-13484 1 Mlflow 1 Mlflow 2026-06-30 5 Medium
A vulnerability has been found in MLflow up to 4666cffc7912ea606d592fc38d6a75e2935f65e7. The impacted element is an unknown function of the component Experiment-scoped Label Schema CRUD API. Such manipulation leads to missing authorization. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. A reply to the GitHub issue explains, that "[t]he labeling schema PR has not been merged yet. The auth handlers will be added before the release."
CVE-2026-58377 1 Jeecgboot 1 Jeecgboot 2026-06-30 8.1 High
JeecgBoot through 3.9.2 contains a broken access control vulnerability that allows authenticated low-privilege users to perform full create, read, update, and delete operations on OpenAPI credentials by accessing the OpenApiAuthController and OpenApiPermissionController endpoints which lack Shiro authorization annotations. Attackers can exploit the unenforced access controls to list, add, edit, and delete all AK/SK credential pairs, with the list endpoint returning secret keys in plaintext, enabling credential theft and unauthorized invocation of the OpenAPI surface.
CVE-2026-58373 1 Cvat 1 Cvat 2026-06-30 4.3 Medium
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
CVE-2026-57498 1 Coollabsio 1 Coolify 2026-06-30 9.6 Critical
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamId) before any operation. However, multiple Livewire web UI components accept server_id and destination_uuid from URL query parameters without any team ownership validation, allowing cross-team resource deployment. This vulnerability is fixed in 4.0.0-beta.474.
CVE-2026-57954 1 Elide 1 Elide 2026-06-30 4.3 Medium
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
CVE-2026-57520 1 Bitwarden 1 Server 2026-06-30 7.1 High
Bitwarden Server before 2026.5.0 contains a privilege escalation vulnerability that allows authenticated Custom users with ManageUsers permission to remove Admin accounts from an organization by exploiting a missing role hierarchy check in the bulk user-remove endpoint. Attackers can supply Admin organization-user IDs in a bulk DELETE request to bypass the guard enforced on the single-user removal path, effectively removing one or more Admin accounts from an organization.
CVE-2026-56768 1 Haiwen 1 Seahub 2026-06-30 8.8 High
Seahub before 13.0.23 does not enforce SHARE_LINK_LOGIN_REQUIRED on GET /api/v2.1/share-link-zip-task/, allowing unauthenticated users to bypass authentication. Attackers with a folder share-link token can call the GET endpoint to obtain a fileserver zip token and download entire shared directory trees.
CVE-2026-57340 2 Shoheitanaka, Wordpress 2 Japanized For Woocommerce, Wordpress 2026-06-29 6.5 Medium
Unauthenticated Broken Access Control in Japanized For WooCommerce <= 2.9.12 versions.
CVE-2026-57327 2 Mainwp, Wordpress 2 Mainwp, Wordpress 2026-06-29 6.3 Medium
Subscriber Broken Access Control in MainWP <= 6.1.1 versions.
CVE-2026-57332 2 Wordpress, Wpswings 2 Wordpress, Wallet System For Woocommerce 2026-06-29 7.1 High
Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions.
CVE-2026-57334 2 Wedevs, Wordpress 2 Wp User Frontend, Wordpress 2026-06-29 6.5 Medium
Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions.
CVE-2025-63041 2 Codeamp, Wordpress 2 Forget About Shortcode Buttons, Wordpress 2026-06-29 5.4 Medium
Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions.
CVE-2025-63078 2 Jetmonsters, Wordpress 2 Restaurant Menu By Motopress, Wordpress 2026-06-29 4.3 Medium
Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions.