Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-69393 | 2026-02-23 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in Jthemes Exzo exzo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Exzo: from n/a through <= 1.2.4.
|
|||||
| CVE-2026-27484 | 1 Openclaw | 1 Openclaw | 2026-02-23 | N/A | 4.3 MEDIUM |
|
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user can request moderation actions by spoofing sender identity fields. This issue has been fixed in version 2026.2.18.
|
|||||
| CVE-2025-14339 | 2026-02-23 | N/A | 6.5 MEDIUM | ||
|
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can perma ...
Show More |
|||||
| CVE-2026-1787 | 2026-02-23 | N/A | 4.8 MEDIUM | ||
|
The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.
|
|||||
| CVE-2020-0989 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2026-02-23 | 2.1 LOW | 5.5 MEDIUM |
|
<p>An information disclosure vulnerability exists when Windows Mobile Device Management (MDM) Diagnostics improperly handles junctions. An attacker who successfully exploited this vulnerability could bypass access restrictions to read files.</p>
<p>To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and access files.</p>
<p>The security update addresses the vulnerabili ...
Show More |
|||||
| CVE-2025-70150 | 1 Codeastro | 1 Membership Management System | 2026-02-23 | N/A | 9.8 CRITICAL |
|
CodeAstro Membership Management System 1.0 contains a missing authentication vulnerability in delete_members.php that allows unauthenticated attackers to delete arbitrary member records via the id parameter.
|
|||||
| CVE-2025-70141 | 1 Oretnom23 | 1 Customer Support System | 2026-02-23 | N/A | 9.4 CRITICAL |
|
SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in admin_class.php based on the action parameter. An unauthenticated remote attacker can perform sensitive operations such as creating customers and deleting users (including the admin account), as well as modifying or deleting other application records (tickets, departments, comments ...
Show More |
|||||
| CVE-2026-1169 | 1 Birkir | 1 Prime | 2026-02-23 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
|
|||||
| CVE-2023-2480 | 1 M-files | 1 M-files | 2026-02-23 | N/A | 7.5 HIGH |
|
Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications
|
|||||
| CVE-2026-25517 | 1 Torchbox | 1 Wagtail | 2026-02-20 | N/A | 2.7 LOW |
|
Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user's choosing. The existing data of the object itself is not exposed, but de ...
Show More |
|||||
| CVE-2019-1170 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2026-02-20 | 7.2 HIGH | 7.9 HIGH |
|
An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.
To exploit the vulnerability, an attacker would first have to log on to the system, and then run a specially crafted application to take control over the affected system.
The security update addresses the vulnerability by preventing sandboxed ...
Show More |
|||||
| CVE-2026-26358 | 1 Dell | 1 Unisphere For Powermax | 2026-02-20 | N/A | 8.8 HIGH |
|
Dell Unisphere for PowerMax, version(s) 10.2, contain(s) a Missing Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.
|
|||||
| CVE-2023-1338 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-20 | N/A | 4.3 MEDIUM |
|
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the attach_rule function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to modify cache rules.
|
|||||
| CVE-2023-1337 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-20 | N/A | 4.3 MEDIUM |
|
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the clear_uucss_logs function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete plugin log files.
|
|||||
| CVE-2023-1336 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-20 | N/A | 4.3 MEDIUM |
|
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check on the ajax_deactivate function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to disable caching.
|
|||||
| CVE-2023-1335 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-20 | N/A | 4.3 MEDIUM |
|
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucss_connect function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to connect a new license key to the site.
|
|||||
| CVE-2023-1334 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-20 | N/A | 4.3 MEDIUM |
|
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized cache modification due to a missing capability check on the queue_posts function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to modify the plugin's cache.
|
|||||
| CVE-2026-24944 | 2026-02-20 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.
|
|||||
| CVE-2026-24941 | 2026-02-20 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.4.
|
|||||
| CVE-2025-70146 | 1 Projectworlds | 1 Online Time Table Generator | 2026-02-20 | N/A | 9.1 CRITICAL |
|
Missing authentication in multiple administrative action scripts under /admin/ in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to perform unauthorized administrative operations (e.g.,adding records, deleting records) via direct HTTP requests to affected endpoints without a valid session.
|
|||||
| CVE-2025-70147 | 1 Projectworlds | 1 Online Time Table Generator | 2026-02-20 | N/A | 7.5 HIGH |
|
Missing authentication in /admin/student.php and /admin/teacher.php in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to obtain sensitive information (including plaintext password field values) via direct HTTP GET requests to these endpoints without a valid session.
|
|||||
| CVE-2023-6279 | 1 Woostify | 1 Sites Library | 2026-02-20 | N/A | 7.1 HIGH |
|
The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name
|
|||||
| CVE-2026-27181 | 1 Mjdm | 1 Majordomo | 2026-02-20 | N/A | 7.5 HIGH |
|
MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without authentication via the /objects/?module=market endpoint. The uninstall mode handler calls uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eva ...
Show More |
|||||
| CVE-2026-25768 | 1 84codes | 1 Lavinmq | 2026-02-20 | N/A | 6.5 MEDIUM |
|
LavinMQ is a high-performance message queue & streaming server. Before 2.6.6, an authenticated user could access metadata in the broker they should not have access to. This vulnerability is fixed in 2.6.6.
|
|||||
| CVE-2026-27387 | 2026-02-20 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through <= 3.6.26.
|
|||||
| CVE-2026-27055 | 2026-02-20 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in PenciDesign Penci AI SmartContent Creator penci-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Penci AI SmartContent Creator: from n/a through <= 2.0.
|
|||||
| CVE-2026-23547 | 2026-02-20 | N/A | 7.1 HIGH | ||
|
Missing Authorization vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CMSMasters Content Composer: from n/a through <= 2.5.8.
|
|||||
| CVE-2026-25330 | 2026-02-20 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.
|
|||||
| CVE-2026-25315 | 2026-02-20 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects hCaptcha for WP: from n/a through <= 4.22.0.
|
|||||
| CVE-2026-25313 | 2026-02-20 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in Shahjahan Jewel FluentForm fluentform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentForm: from n/a through <= 6.1.14.
|
|||||
| CVE-2025-68834 | 2026-02-20 | N/A | N/A | ||
|
Missing Authorization vulnerability in Saiful Islam Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet – Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.
|
|||||
| CVE-2025-65036 | 1 Xwiki | 1 Pro Macros | 2026-02-20 | N/A | 8.3 HIGH |
|
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to 1.27.1, the macro executes Velocity from the details pages without checking for permissions, which can lead to remote code execution. This vulnerability is fixed in 1.27.1.
|
|||||
| CVE-2026-26977 | 1 Frappe | 1 Learning | 2026-02-20 | N/A | 5.3 MEDIUM |
|
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.
|
|||||
| CVE-2026-25420 | 2026-02-20 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in MailerLite MailerLite official-mailerlite-sign-up-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailerLite: from n/a through <= 1.7.18.
|
|||||
| CVE-2026-25388 | 2026-02-20 | N/A | 5.4 MEDIUM | ||
|
Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through <= 5.0.
|
|||||
| CVE-2026-25364 | 2026-02-20 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8.
|
|||||
| CVE-2025-70148 | 1 Codeastro | 1 Membership Management System | 2026-02-20 | N/A | 7.5 HIGH |
|
Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference (IDOR).
|
|||||
| CVE-2026-2819 | 2026-02-20 | 6.5 MEDIUM | 6.3 MEDIUM | ||
|
A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-30416 | 2026-02-20 | N/A | 10.0 CRITICAL | ||
|
Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.
|
|||||
| CVE-2026-27328 | 2026-02-20 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in DevsBlink EduBlink edublink allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduBlink: from n/a through <= 2.0.7.
|
|||||