Search Results (5724 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-55670 1 Zitadel 1 Zitadel 2026-07-10 N/A
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original organization and exposed to that organization's administrator. This issue is fixed in version 4.15.2.
CVE-2026-40009 1 Apache 1 Iotdb 2026-07-10 6.5 Medium
Improper Privilege Management, Improper Access Control vulnerability in Apache IoTDB. Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor. This issue affects Apache IoTDB: from 2.0.8 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
CVE-2026-40452 1 Apache 1 Iotdb 2026-07-10 7.5 High
Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to upgrade to version 2.0.10, which fixes the issue.
CVE-2026-15319 1 Sipeed 1 Picoclaw 2026-07-10 7.3 High
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. This affects the function IPAllowlist of the file web/backend/middleware/access_control.go of the component Launcher. Such manipulation leads to improper access controls. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The name of the patch is 3126. A patch should be applied to remediate this issue.
CVE-2026-48948 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
CVE-2026-48957 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows unauthorized users to access com_privacy datasets.
CVE-2026-48956 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows users to display a list of modules in the frontend.
CVE-2026-48955 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows unauthorized users to access workflow stage and transition information.
CVE-2026-48958 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows unauthorized users to create custom fields via webservices endpoints.
CVE-2026-48947 1 Joomla 1 Joomla! 2026-07-10 N/A
An improper access check allows privileged users to overwrite media files without editing permissions.
CVE-2026-56217 1 Cap-go 1 Cap-go 2026-07-10 4.3 Medium
Capgo before 12.128.2 contains a policy bypass vulnerability in app_versions update enforcement that allows app-scoped API keys to downgrade encrypted bundles to non-encrypted state. Attackers with app-scoped all API keys can directly update the app_versions table via PostgREST to clear session_key and key_id fields, bypassing organization-enforced encrypted-bundle policies and weakening OTA security controls.
CVE-2026-43713 1 Apple 3 Ios And Ipados, Macos, Safari 2026-07-10 6.5 Medium
A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Visiting a website may leak sensitive data.
CVE-2026-43701 1 Apple 3 Ios And Ipados, Macos, Safari 2026-07-10 7.1 High
The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox.
CVE-2026-59720 1 Hoppscotch 1 Hoppscotch 2026-07-09 7.5 High
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without authentication and potentially expose sensitive API data. This issue is fixed in version 2026.6.0.
CVE-2026-15188 1 Manjurulhoque 1 Django-job-portal 2026-07-09 6.3 Medium
A weakness has been identified in manjurulhoque django-job-portal up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f. Affected by this vulnerability is the function EditEmployeeProfileAPIView of the file accounts/api/views.py of the component Employee Dashboard Endpoint. This manipulation of the argument role causes improper access controls. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-58525 1 Microsoft 1 Edge Chromium 2026-07-09 8.2 High
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
CVE-2023-43336 1 Sangoma 1 Freepbx 2026-07-09 8.8 High
Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101.
CVE-2026-45658 1 Microsoft 26 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 23 more 2026-07-08 7.8 High
Improper access control in Windows BitLocker allows an authorized attacker to bypass a security feature locally.
CVE-2026-45654 1 Microsoft 8 Windows 11 24h2, Windows 11 24h2, Windows 11 25h2 and 5 more 2026-07-08 7.9 High
Improper access control in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
CVE-2026-48578 1 Microsoft 26 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 23 more 2026-07-08 7.9 High
Improper access control in Windows Secure Boot allows an authorized attacker to elevate privileges locally.