Export limit exceeded: 11945 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11945 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57721 | 2 Wordpress, Wp Reloaded | 2 Wordpress, Applyonline | 2026-07-06 | 5.3 Medium |
| Missing Authorization vulnerability in WP Reloaded ApplyOnline allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ApplyOnline: from n/a through 2.6.7.6. | ||||
| CVE-2025-69134 | 2 Merkulove, Wordpress | 2 Openai Chatbot For Wordpress – Helper, Wordpress | 2026-07-06 | 7.5 High |
| Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions. | ||||
| CVE-2026-39448 | 2 Coderpress, Wordpress | 2 Nowpayments For Woocommerce, Wordpress | 2026-07-06 | 7.5 High |
| Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions. | ||||
| CVE-2026-57685 | 2 Drfuri, Wordpress | 2 Martfury - Woocommerce Marketplace Wordpress Theme, Wordpress | 2026-07-06 | 4.3 Medium |
| Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions. | ||||
| CVE-2026-57688 | 2 Gurmehub, Wordpress | 2 Pos Entegratör, Wordpress | 2026-07-06 | 8.2 High |
| Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions. | ||||
| CVE-2026-57689 | 2 Fuelthemes, Wordpress | 2 Werkstatt, Wordpress | 2026-07-06 | 4.3 Medium |
| Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions. | ||||
| CVE-2026-57750 | 2 Keksdieb, Wordpress | 2 Ez Form Calculator Premium, Wordpress | 2026-07-06 | 5.3 Medium |
| Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions. | ||||
| CVE-2026-57760 | 2 Sendcloud, Wordpress | 2 Sendcloud Shipping, Wordpress | 2026-07-06 | 5.3 Medium |
| Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29. | ||||
| CVE-2026-12729 | 2 Wedevs, Wordpress | 2 Wedocs: Ai Powered Knowledge Base, Docs, Documentation, Wiki & Ai Chatbot, Wordpress | 2026-07-06 | 4.3 Medium |
| The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the do_migration() function registered as the wedocs_migrate_betterdocs_to_wedocs AJAX action, which performs no nonce verification via check_ajax_referer() and no capability check via current_user_can() before executing sensitive operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full BetterDocs-to-weDocs data migration, creating and modifying 'docs' custom post type entries with attacker-controlled titles, updating site options, and deactivating the BetterDocs and BetterDocs Pro plugins via deactivate_plugins(). | ||||
| CVE-2026-27775 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-06 | 8.8 High |
| Gitea 1.25.5 caches a branch-specific write-permission result across multiple refs in one pre-receive hook session, allowing a per-branch maintainer-edit grant to be reused for other refs and escalate to full repository write access. | ||||
| CVE-2026-27780 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-06 | 9.8 Critical |
| Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks. | ||||
| CVE-2026-27783 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-06 | 4.3 Medium |
| Gitea versions up to and including 1.26.1 do not enforce repository-unit authorization on issue-template API endpoints. | ||||
| CVE-2026-28699 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-06 | 8.1 High |
| Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication. | ||||
| CVE-2026-28744 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-06 | 8.1 High |
| Gitea versions up to and including 1.26.1 allow Git smart HTTP requests authenticated with bearer tokens to bypass repository token scope checks. | ||||
| CVE-2026-58424 | 1 Gitea | 1 Gitea Open Source Git Server | 2026-07-06 | 8.9 High |
| Permanent Fork PR Workflow Approval Gate Bypass | ||||
| CVE-2026-12557 | 2 Saturdaydrive, Wordpress | 2 Ninja Forms - File Uploads, Wordpress | 2026-07-06 | 5.3 Medium |
| The Ninja Forms - File Uploads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.3.29. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read all plugin debug log entries stored in the wp_nf3_log table or permanently delete all rows from that table. | ||||
| CVE-2026-14460 | 2026-07-06 | 8.8 High | ||
| Missing Authorization vulnerability in TUBITAK BILGEM Software Technologies Research Institute pardus-software allows Argument Injection. This issue affects pardus-software: from <= 1.0.4 before 1.0.5. | ||||
| CVE-2026-54998 | 1 Microsoft | 1 Exchange Online | 2026-07-06 | 8.8 High |
| Incorrect authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-59097 | 1 Taiga | 1 Taiga | 2026-07-06 | 5.3 Medium |
| Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, which bypass permission checks and apply the AllowAny default, to pre-empt project administrators from initializing due dates by creating records before they can do so themselves. | ||||
| CVE-2026-9230 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master (qsm) – Easy Quiz And Survey Maker, Wordpress | 2026-07-06 | 4.3 Medium |
| The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership. | ||||