Search Results (5724 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-49938 1 Fortinet 1 Fortiportal 2026-07-08 6.2 Medium
A improper access control vulnerability in Fortinet FortiPortal 7.4.0 through 7.4.7, FortiPortal 7.2.0 through 7.2.8, FortiPortal 7.0 all versions may allow attacker to improper access control via <insert attack vector here>
CVE-2026-8147 1 Mlflow 1 Mlflow/mlflow 2026-07-08 8.1 High
In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.
CVE-2026-14613 1 Redhat 4 Build Keycloak, Jboss Data Grid, Jbosseapxp and 1 more 2026-07-07 4.3 Medium
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administrator who is allowed to see a specific "role" can also see a list of all groups assigned to that role. The system fails to check if the administrator has permission to see those specific groups. This could allow a restricted administrator to discover "hidden" groups and see their details, such as internal names and custom settings, which might contain sensitive deployment information.
CVE-2026-20896 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 9.8 Critical
Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default, allowing any source IP to impersonate a user when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled.
CVE-2026-20909 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 5.3 Medium
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
CVE-2026-24451 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.
CVE-2026-24690 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
CVE-2026-25712 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.
CVE-2026-26247 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 9.1 Critical
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
CVE-2026-26292 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 9.8 Critical
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
CVE-2026-27660 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.
CVE-2026-54765 1 Traefik 1 Traefik 2026-07-07 N/A
Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route's filter set to all requests reaching that backend. In Gateway deployments where backendRef filters set security-sensitive headers, such as tenant identity, authorization context, or values the backend trusts, an attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route's filter context to be applied to another route's requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting. This issue is fixed in version v3.7.6.
CVE-2026-14792 1 Formbricks 1 Formbricks 2026-07-07 6.5 Medium
A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. Upgrading to version 5.1.0-rc.1 will fix this issue. The identifier of the patch is af6023b5ac3b030ffcea24fac799f76f3e3512c6. You should upgrade the affected component.
CVE-2026-14775 1 Sourcecodester 2 Onlne Examination & Learning Management System, Onlne Examination Learning Management System 2026-07-07 6.3 Medium
A vulnerability was identified in SourceCodester Onlne Examination & Learning Management System 1.0. Affected is an unknown function of the file /process_lesson.php. Such manipulation of the argument user_id leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. The name of the affected product appears to have a typo in it.
CVE-2026-58523 1 Microsoft 1 Edge Chromium 2026-07-07 6.5 Medium
Improper access control in Microsoft Edge for Android allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-58286 1 Microsoft 1 Edge Chromium 2026-07-07 8.1 High
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-20706 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 9.1 Critical
Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.
CVE-2026-22555 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.1 High
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.
CVE-2026-27779 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 7.5 High
Gitea versions before 1.25.5 accept malformed or injected forwarded-proto values when detecting public URLs, allowing spoofed canonical URL generation.
CVE-2026-28699 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.1 High
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.