Total
4422 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2056 | 1 Dlink | 4 Dir-605l, Dir-605l Firmware, Dir-619l and 1 more | 2026-02-17 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security vulnerability has been detected in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The impacted element is an unknown function of the file /wan_connection_status.asp of the component DHCP Connection Status Handler. The manipulation leads to information disclosure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
|
|||||
| CVE-2026-2146 | 1 Guchengwuyue | 1 Yshopmall | 2026-02-17 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2026-24055 | 1 Langfuse | 1 Langfuse | 2026-02-17 | N/A | 5.3 MEDIUM |
|
Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse ...
Show More |
|||||
| CVE-2025-69634 | 2026-02-14 | N/A | 9.0 CRITICAL | ||
|
Cross Site Request Forgery vulnerability in Dolibarr ERP & CRM v.22.0.9 allows a remote attacker to escalate privileges via the notes field in perms.php NOTE: this is disputed by a third party who indicates that exploitation can only occur if an unprivileged user knows the token of an admin user.
|
|||||
| CVE-2026-0653 | 1 Tp-link | 2 Tapo C260, Tapo C260 Firmware | 2026-02-13 | N/A | 6.5 MEDIUM |
|
On TP-Link Tapo C260 v1, a guest‑level authenticated user can bypass intended access restrictions by sending crafted requests to a synchronization endpoint. This allows modification of protected device settings despite limited privileges. An attacker may change sensitive configuration parameters without authorization, resulting in unauthorized device state manipulation but not full code execution.
|
|||||
| CVE-2024-51954 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-02-13 | N/A | 8.5 HIGH |
|
There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a ...
Show More |
|||||
| CVE-2025-68721 | 1 Axigen | 1 Axigen Mail Server | 2026-02-13 | N/A | 8.1 HIGH |
|
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section.
|
|||||
| CVE-2026-20638 | 1 Apple | 2 Ipados, Iphone Os | 2026-02-13 | N/A | 5.5 MEDIUM |
|
A logic issue was addressed with improved checks. This issue is fixed in iOS 26.3 and iPadOS 26.3. A user with Live Caller ID app extensions turned off could have identifying information leaked to the extensions.
|
|||||
| CVE-2025-67645 | 1 Open-emr | 1 Openemr | 2026-02-12 | N/A | 8.8 HIGH |
|
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable accou ...
Show More |
|||||
| CVE-2026-24300 | 1 Microsoft | 1 Azure Front Door | 2026-02-12 | N/A | 9.8 CRITICAL |
|
Azure Front Door Elevation of Privilege Vulnerability
|
|||||
| CVE-2026-24302 | 1 Microsoft | 1 Azure Arc | 2026-02-12 | N/A | 8.6 HIGH |
|
Azure Arc Elevation of Privilege Vulnerability
|
|||||
| CVE-2025-70997 | 1 Eladmin | 1 Eladmin | 2026-02-12 | N/A | 6.5 MEDIUM |
|
A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level.
|
|||||
| CVE-2026-1964 | 1 Wekan Project | 1 Wekan | 2026-02-12 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component.
|
|||||
| CVE-2026-1962 | 1 Wekan Project | 1 Wekan | 2026-02-12 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component.
|
|||||
| CVE-2026-24304 | 1 Microsoft | 1 Azure Resource Manager | 2026-02-12 | N/A | 9.9 CRITICAL |
|
Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2026-2250 | 2026-02-12 | N/A | 7.5 HIGH | ||
|
The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.
|
|||||
| CVE-2025-70982 | 1 Bladex | 1 Springblade | 2026-02-12 | N/A | 9.9 CRITICAL |
|
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
|
|||||
| CVE-2026-23856 | 2026-02-12 | N/A | 7.8 HIGH | ||
|
Dell iDRAC Service Module (iSM) for Windows, versions prior to 6.0.3.1, and Dell iDRAC Service Module (iSM) for Linux, versions prior to 5.4.1.1, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
|
|||||
| CVE-2026-21238 | 1 Microsoft | 13 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 10 more | 2026-02-11 | N/A | 7.8 HIGH |
|
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2026-21255 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2026-02-11 | N/A | 8.8 HIGH |
|
Improper access control in Windows Hyper-V allows an authorized attacker to bypass a security feature locally.
|
|||||
| CVE-2025-69908 | 1 Newgensoft | 1 Omniapp | 2026-02-11 | N/A | 7.5 HIGH |
|
An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource.
|
|||||
| CVE-2025-70983 | 1 Bladex | 1 Springblade | 2026-02-11 | N/A | 9.9 CRITICAL |
|
Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges.
|
|||||
| CVE-2026-2205 | 1 Wekan Project | 1 Wekan | 2026-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised.
|
|||||
| CVE-2026-2206 | 1 Wekan Project | 1 Wekan | 2026-02-11 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component.
|
|||||
| CVE-2026-2207 | 1 Wekan Project | 1 Wekan | 2026-02-11 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrading to version 8.21 is capable of addressing this issue. This patch is called 91a936e07d2976d4246dfe834281c3aaa87f9503. You should upgrade the affected component.
|
|||||
| CVE-2025-8025 | 2026-02-11 | N/A | 9.8 CRITICAL | ||
|
Missing Authentication for Critical Function, Improper Access Control vulnerability in Dinosoft Business Solutions Dinosoft ERP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dinosoft ERP: from < 3.0.1 through 11022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-29939 | 2026-02-10 | N/A | N/A | ||
|
Improper access control in secure encrypted virtualization (SEV) could allow a privileged attacker to write to the reverse map page (RMP) during secure nested paging (SNP) initialization, potentially resulting in a loss of guest memory confidentiality and integrity.
|
|||||
| CVE-2026-1898 | 1 Wekan Project | 1 Wekan | 2026-02-10 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component.
|
|||||
| CVE-2020-37116 | 1 Gunet | 1 Open Eclass Platform | 2026-02-10 | N/A | 8.8 HIGH |
|
GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise.
|
|||||
| CVE-2025-60865 | 1 Avanquest | 1 Pc Helpsoft Driver Updater | 2026-02-10 | N/A | 7.8 HIGH |
|
Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component.
|
|||||
| CVE-2026-2147 | 1 Tenda | 2 Ac21, Ac21 Firmware | 2026-02-10 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A weakness has been identified in Tenda AC21 16.03.08.16. This impacts an unknown function of the file /cgi-bin/DownloadLog of the component Web Management Interface. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
|
|||||
| CVE-2026-2148 | 1 Tenda | 2 Ac21, Ac21 Firmware | 2026-02-10 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security vulnerability has been detected in Tenda AC21 16.03.08.16. Affected is an unknown function of the file /cgi-bin/DownloadFlash of the component Web Management Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
|
|||||
| CVE-2026-24668 | 1 Gunet | 1 Open Eclass Platform | 2026-02-10 | N/A | 6.5 MEDIUM |
|
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2.
|
|||||
| CVE-2026-24670 | 1 Gunet | 1 Open Eclass Platform | 2026-02-10 | N/A | 6.5 MEDIUM |
|
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2.
|
|||||
| CVE-2026-1896 | 1 Wekan Project | 1 Wekan | 2026-02-10 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affe ...
Show More |
|||||
| CVE-2026-2009 | 1 Mayurik | 1 Gas Agency Management System | 2026-02-10 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been published and may be used.
|
|||||
| CVE-2026-2075 | 1 Yeqifu | 1 Warehouse | 2026-02-10 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role-Permission Binding Handler. The manipulation results in improper access controls. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. This product takes the approach o ...
Show More |
|||||
| CVE-2026-2213 | 1 Fabian | 1 Online Music Site | 2026-02-10 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A security flaw has been discovered in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminAddAlbum.php. The manipulation of the argument txtimage results in unrestricted upload. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
|
|||||
| CVE-2026-2133 | 1 Fabian | 1 Online Music Site | 2026-02-10 | 7.5 HIGH | 7.3 HIGH |
|
A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
|
|||||
| CVE-2025-23367 | 1 Redhat | 2 Jboss Enterprise Application Platform, Wildfly | 2026-02-10 | N/A | 6.5 MEDIUM |
|
A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server.
The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to ...
Show More |
|||||