Total
95 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-29077 | 2026-03-05 | N/A | 7.1 HIGH | ||
|
Frappe is a full-stack web application framework. Prior to versions 15.98.0 and 14.100.0, due to a lack of validation when sharing documents, a user could share a document with a permission that they themselves didn't have. This issue has been patched in versions 15.98.0 and 14.100.0.
|
|||||
| CVE-2026-30783 | 2026-03-05 | N/A | N/A | ||
|
A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling.
This issue affects RustDesk Client: through 1.4.5.
|
|||||
| CVE-2026-23859 | 1 Dell | 1 Wyse Management Suite | 2026-02-25 | N/A | 2.7 LOW |
|
Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Client-Side Enforcement of Server-Side Security vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability to Protection mechanism bypass.
|
|||||
| CVE-2026-23478 | 1 Cal | 1 Cal.com | 2026-02-03 | N/A | 9.8 CRITICAL |
|
Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.
|
|||||
| CVE-2025-36410 | 1 Ibm | 1 Applinx | 2026-01-26 | N/A | 3.1 LOW |
|
IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security.
|
|||||
| CVE-2026-0808 | 2026-01-26 | N/A | 5.3 MEDIUM | ||
|
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
|
|||||
| CVE-2025-54833 | 1 Opexustech | 1 Foiaxpress Public Access Link | 2026-01-23 | N/A | 5.3 MEDIUM |
|
OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords.
|
|||||
| CVE-2025-14687 | 1 Ibm | 1 Db2 Intelligence Center | 2026-01-14 | N/A | 4.3 MEDIUM |
|
IBM Db2 Intelligence Center 1.1.0, 1.1.1, 1.1.2 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.
|
|||||
| CVE-2024-31491 | 1 Fortinet | 1 Fortisandbox | 2026-01-14 | N/A | 8.8 HIGH |
|
A client-side enforcement of server-side security vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.4, FortiSandbox 4.2.1 through 4.2.6 allows attacker to execute unauthorized code or commands via HTTP requests.
|
|||||
| CVE-2025-66507 | 1 Fit2cloud | 1 1panel | 2025-12-10 | N/A | 7.5 HIGH |
|
1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections can be bypassed, enabling automated login attempts and significantly increasing the risk of account takeover (ATO). This issue is fixed in version 2.0.14.
|
|||||
| CVE-2025-36102 | 1 Ibm | 2 Cognos Controller, Controller | 2025-12-10 | N/A | 2.7 LOW |
|
IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-side security.
|
|||||
| CVE-2025-51682 | 1 Mjobtime | 1 Mjobtime | 2025-12-04 | N/A | 9.8 CRITICAL |
|
mJobtime 15.7.2 handles authorization on the client side, which allows an attacker to modify the client-side code and gain access to administrative features. Additionally, they can craft requests based on the client-side code to call these administrative functions directly.
|
|||||
| CVE-2025-7820 | 2025-12-01 | N/A | 7.5 HIGH | ||
|
The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackers to make confirmed purchases without actually paying for them.
|
|||||
| CVE-2025-12788 | 2025-11-12 | N/A | 5.3 MEDIUM | ||
|
The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confi ...
Show More |
|||||
| CVE-2025-10161 | 2025-11-12 | N/A | 7.3 HIGH | ||
|
Improper Restriction of Excessive Authentication Attempts, Client-Side Enforcement of Server-Side Security, Reliance on Untrusted Inputs in a Security Decision vulnerability in Turkguven Software Technologies Inc. Perfektive allows Brute Force, Authentication Bypass, Functionality Bypass.This issue affects Perfektive: before Version: 12574 Build: 2701.
|
|||||
| CVE-2025-4527 | 1 Digitro | 1 Ngc Explorer | 2025-11-10 | 2.6 LOW | 3.7 LOW |
|
A vulnerability has been found in Dígitro NGC Explorer 3.44.15 and classified as problematic. This vulnerability affects unknown code of the component Password Transmission Handler. The manipulation leads to client-side enforcement of server-side security. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-36093 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-11-05 | N/A | 4.8 MEDIUM |
|
IBM Cloud Pak For Business Automation 25.0.0, 24.0.1, and 24.0.0 could allow an attacker to access unauthorized content or perform unauthorized actions using man in the middle techniques due to improper access controls.
|
|||||
| CVE-2025-12115 | 2025-11-04 | N/A | 7.5 HIGH | ||
|
The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it possible for unauthenticated attackers to purchase products at prices less than they should be able to.
|
|||||
| CVE-2025-27681 | 1 Printerlogic | 2 Vasion Print, Virtual Appliance | 2025-11-03 | N/A | 9.8 CRITICAL |
|
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 1.0.735 Application 20.0.1330 mishandles Client Inter-process Security V-2022-004.
|
|||||
| CVE-2025-10640 | 2025-11-03 | N/A | 9.8 CRITICAL | ||
|
An unauthenticated attacker with access to TCP port 12306 of the WorkExaminer server can exploit missing server-side authentication checks to bypass the login prompt in the WorkExaminer Professional console to gain administrative access to the WorkExaminer server and therefore all sensitive monitoring data. This includes monitored screenshots and keystrokes of all users.
The WorkExaminer Professional console is used for administrative access to the server. Before access to the console is grante ...
Show More |
|||||
| CVE-2025-32808 | 1 Wwnorton | 1 Inquizitive | 2025-10-30 | N/A | 7.7 HIGH |
|
W. W. Norton InQuizitive through 2025-04-08 allows students to insert arbitrary records of their quiz performance into the backend, because only client-side access control exists.
|
|||||
| CVE-2025-41402 | 2025-10-27 | N/A | 5.5 MEDIUM | ||
|
Client-Side Enforcement of Server-Side Security (CWE-602) in the Command Centre Server allows a privileged operator to enter invalid competency data, bypassing expiry checks.
This issue affects Command Centre Server:
9.30 prior to vEL9.30.2482 (MR2), 9.20 prior to vEL9.20.2819 (MR4), 9.10 prior to vEL9.10.3672 (MR7), all versions of 9.00 and prior.
|
|||||
| CVE-2025-2139 | 3 Ibm, Linux, Microsoft | 4 Aix, Engineering Requirements Management Doors Next, Linux Kernel and 1 more | 2025-10-16 | N/A | 3.5 LOW |
|
IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1 could allow an authenticated user on the network to delete reviews from other users due to client-side enforcement of server-side security.
|
|||||
| CVE-2025-2138 | 3 Ibm, Linux, Microsoft | 4 Aix, Engineering Requirements Management Doors Next, Linux Kernel and 1 more | 2025-10-16 | N/A | 3.5 LOW |
|
IBM Engineering Requirements Management Doors Next 7.0.2, 7.0.3, and 7.1
could allow an authenticated user on the network to delete comments from other users due to client-side enforcement of server-side security.
|
|||||
| CVE-2014-2374 | 1 Accuenergy | 2 Acuvim Ii, Axm-net | 2025-10-13 | 7.5 HIGH | N/A |
|
The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript.
|
|||||
| CVE-2014-2373 | 1 Accuenergy | 2 Acuvim Ii, Axm-net | 2025-10-13 | 7.5 HIGH | N/A |
|
The AXN-NET Ethernet module accessory 3.04 for the Accuenergy Acuvim II allows remote attackers to discover passwords and modify settings via vectors involving JavaScript.
|
|||||
| CVE-2025-61197 | 2025-10-06 | N/A | 8.9 HIGH | ||
|
An issue in Orban Optimod 5950, Optimod 5950HD, Optimod 5750, Optimod 5750HD, Optimod Trio Optimod version 1.0.0.33 - System version 2.5.26 allows a remote attacker to escalate privileges via the application stores user privilege/role information in client-side browser storage
|
|||||
| CVE-2025-28168 | 1 Multiple File Upload Project | 1 Multiple File Upload | 2025-09-30 | N/A | 6.4 MEDIUM |
|
The Multiple File Upload add-on component 3.1.0 for OutSystems is vulnerable to Unrestricted File Upload. This occurs because file extension and size validations are enforced solely on the client side. An attacker can intercept the upload request and modify a parameter to bypass extension restrictions and upload arbitrary files. NOTE: this is a third-party component that is not supplied or supported by OutSystems.
|
|||||
| CVE-2025-46591 | 1 Huawei | 1 Harmonyos | 2025-09-26 | N/A | 6.2 MEDIUM |
|
Out-of-bounds data read vulnerability in the authorization module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
|
|||||
| CVE-2025-9495 | 2025-09-24 | N/A | N/A | ||
|
The Vitogate 300 web interface fails to enforce proper server-side authentication and relies on frontend-based authentication controls. This allows an attacker to simply modify HTML elements in the browser’s developer tools to bypass login restrictions. By removing specific UI elements, an attacker can reveal the hidden administration menu, giving them full control over the device.
|
|||||
| CVE-2024-52008 | 1 Ethyca | 1 Fides | 2025-09-23 | N/A | 8.8 HIGH |
|
Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API calls can circumvent these checks, enabling the creation of accounts with passwords as short as a single character. When an email messaging provider is enabled and a new user account is created in the syste ...
Show More |
|||||
| CVE-2025-53969 | 2025-09-19 | N/A | 8.8 HIGH | ||
|
Cognex In-Sight Explorer and In-Sight Camera Firmware expose
a service implementing a proprietary protocol on TCP port 1069 to allow
the client-side software, such as the In-Sight Explorer tool, to perform
management operations such as changing network settings or modifying
users' access to the device.
|
|||||
| CVE-2025-56694 | 1 Lumasoft | 1 Fotoshare Cloud | 2025-09-09 | N/A | 5.8 MEDIUM |
|
Client-side password validation (CWE-602) in lumasoft fotoShare Cloud 2025-03-13 allowing unauthenticated attackers to view password-protected photo albums.
|
|||||
| CVE-2024-12603 | 2025-09-05 | N/A | 9.8 CRITICAL | ||
|
A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password.
|
|||||
| CVE-2025-8792 | 1 Litmuschaos | 1 Litmus | 2025-09-02 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-49824 | 1 Ibm | 2 Robotic Process Automation, Robotic Process Automation For Cloud Pak | 2025-08-18 | N/A | 6.5 MEDIUM |
|
IBM Robotic Process Automation 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18 and
IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.18 and 23.0.0 through 23.0.18
could allow an authenticated user to perform unauthorized actions as a privileged user due to improper validation of client-side security enforcement.
|
|||||
| CVE-2025-6025 | 2025-08-15 | N/A | 7.5 HIGH | ||
|
The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted.
|
|||||
| CVE-2025-1838 | 1 Ibm | 1 Cloud Pak For Business Automation | 2025-08-14 | N/A | 6.5 MEDIUM |
|
IBM Cloud Pak for Business Automation
24.0.0 and 24.0.1 through 24.0.1 IF001
Authoring allows an authenticated user to bypass client-side data validation in an authoring user interface which could cause a denial of service.
|
|||||
| CVE-2024-41751 | 1 Ibm | 1 Smartcloud Analytics Log Analysis | 2025-08-06 | N/A | 5.5 MEDIUM |
|
IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data.
|
|||||
| CVE-2024-41750 | 1 Ibm | 1 Smartcloud Analytics Log Analysis | 2025-08-06 | N/A | 5.5 MEDIUM |
|
IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data.
|
|||||