Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-24312 | 1 Sap | 1 Sap Basis | 2026-02-17 | N/A | 5.2 MEDIUM |
|
An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated administrative user can bypass role restrictions by leveraging permissions from a less sensitive function to execute unauthorized, high-privilege actions. This has a high impact on data integrity, with low impact on confidentiality and no impact on availability of the application.
|
|||||
| CVE-2026-24322 | 1 Sap | 1 Solution Tools Plug-in | 2026-02-17 | N/A | 7.7 HIGH |
|
SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.
|
|||||
| CVE-2026-24326 | 1 Sap | 1 S\/4hana Defense \& Security | 2026-02-17 | N/A | 4.3 MEDIUM |
|
Due to a missing authorization check in the Disconnected Operations of the SAP S/4HANA Defense & Security, an attacker with user privileges could call remote-enabled function modules to do direct update on standard SAP database table . This results in low impact on integrity, with no impact on confidentiality or availability of the application.
|
|||||
| CVE-2026-24327 | 1 Sap | 1 Strategic Enterprise Management | 2026-02-17 | N/A | 4.3 MEDIUM |
|
Due to missing authorization check in SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view. This leads to low impact on confidentiality and no effect on integrity or availability.
|
|||||
| CVE-2025-67737 | 1 Azuracast | 1 Azuracast | 2026-02-17 | N/A | 3.1 LOW |
|
AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, ...
Show More |
|||||
| CVE-2026-24532 | 2026-02-17 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through 5.0.2.
|
|||||
| CVE-2023-1333 | 1 Rapidload | 1 Rapidload Power-up For Autoptimize | 2026-02-13 | N/A | 4.3 MEDIUM |
|
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_page_cache function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access to delete the plugin's cache.
|
|||||
| CVE-2026-25531 | 1 Kanboard | 1 Kanboard | 2026-02-13 | N/A | 4.3 MEDIUM |
|
Kanboard is project management software focused on Kanban methodology. Prior to 1.2.50, The fix for CVE-2023-33968 is incomplete. The TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects, allowing authenticated users to duplicate tasks into projects they cannot access. This vulnerability is fixed in 1.2.50.
|
|||||
| CVE-2026-25939 | 1 Frangoteam | 1 Fuxa | 2026-02-13 | N/A | 9.1 CRITICAL |
|
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10,
an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.
|
|||||
| CVE-2025-14592 | 1 Gitlab | 1 Gitlab | 2026-02-13 | N/A | 3.7 LOW |
|
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to perform unauthorized operations by submitting GraphQL mutations through the GLQL API endpoint.
|
|||||
| CVE-2026-1104 | 2026-02-13 | N/A | 8.8 HIGH | ||
|
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.
|
|||||
| CVE-2026-20626 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2026-02-12 | N/A | 7.8 HIGH |
|
This issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A malicious app may be able to gain root privileges.
|
|||||
| CVE-2025-30398 | 1 Microsoft | 1 Nuance Powerscribe One | 2026-02-12 | N/A | 8.1 HIGH |
|
Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network.
|
|||||
| CVE-2026-21743 | 1 Fortinet | 1 Fortiauthenticator | 2026-02-12 | N/A | 7.2 HIGH |
|
A missing authorization vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow a read-only user to make modification to local users via a file upload to an unprotected endpoint.
|
|||||
| CVE-2026-25036 | 2026-02-12 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Passster: from n/a through <= 4.2.25.
|
|||||
| CVE-2026-1671 | 2026-02-12 | N/A | 6.5 MEDIUM | ||
|
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view potentially sensitive information (e.g., the password of a higher level user, such as an administrator) contained in the exposed log files.
|
|||||
| CVE-2026-1537 | 2026-02-12 | N/A | 5.3 MEDIUM | ||
|
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.
|
|||||
| CVE-2026-25806 | 1 Prasklatechnology | 1 Placipy | 2026-02-11 | N/A | 6.5 MEDIUM |
|
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email
PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do not enforce authorization. The application does not verify whether the authenticated user owns the student record being accessed, has an administrative / staff role, or is permitted to modify or delete ...
Show More |
|||||
| CVE-2026-25810 | 1 Prasklatechnology | 1 Placipy | 2026-02-11 | N/A | 9.1 CRITICAL |
|
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/student.submission.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks).
|
|||||
| CVE-2026-25876 | 1 Prasklatechnology | 1 Placipy | 2026-02-11 | N/A | 9.1 CRITICAL |
|
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the backend/src/routes/results.routes.ts verify authentication but fails to enforce object-level authorization (ownership checks). For example, this can be used to return all results for an assessment.
|
|||||
| CVE-2026-1734 | 1 Crmeb | 1 Crmeb | 2026-02-11 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-70983 | 1 Bladex | 1 Springblade | 2026-02-11 | N/A | 9.9 CRITICAL |
|
Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges.
|
|||||
| CVE-2025-52024 | 1 Aptsys | 1 Gemscms Backend | 2026-02-11 | N/A | 9.4 CRITICAL |
|
A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any ...
Show More |
|||||
| CVE-2026-25538 | 1 Devtron | 1 Devtron | 2026-02-11 | N/A | 8.8 HIGH |
|
Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platfor ...
Show More |
|||||
| CVE-2026-2208 | 1 Wekan Project | 1 Wekan | 2026-02-11 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded.
|
|||||
| CVE-2026-24777 | 1 Openproject | 1 Openproject | 2026-02-11 | N/A | 6.7 MEDIUM |
|
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.
|
|||||
| CVE-2025-13391 | 2026-02-11 | N/A | 5.8 MEDIUM | ||
|
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60.
|
|||||
| CVE-2025-15400 | 2026-02-11 | N/A | 6.5 MEDIUM | ||
|
The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality.
|
|||||
| CVE-2025-15524 | 2026-02-11 | N/A | 4.3 MEDIUM | ||
|
The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve metadata (name, image count, thumbnail URL) of private, draft, and password-protected galleries by enumerating gallery IDs.
|
|||||
| CVE-2026-1786 | 2026-02-11 | N/A | 6.5 MEDIUM | ||
|
The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including Twitter API credentials, post author, post status, and the capability required to access the plugin's admin menu.
|
|||||
| CVE-2026-1748 | 2026-02-11 | N/A | 4.3 MEDIUM | ||
|
The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails.
|
|||||
| CVE-2026-1833 | 2026-02-11 | N/A | 5.3 MEDIUM | ||
|
The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators.
|
|||||
| CVE-2026-0817 | 1 Wikimedia | 1 Campaignevents | 2026-02-10 | N/A | 5.3 MEDIUM |
|
Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39.
|
|||||
| CVE-2026-1897 | 1 Wekan Project | 1 Wekan | 2026-02-10 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component.
|
|||||
| CVE-2025-15289 | 1 Tanium | 1 Interact | 2026-02-10 | N/A | 3.1 LOW |
|
Tanium addressed an improper access controls vulnerability in Interact.
|
|||||
| CVE-2025-15330 | 1 Tanium | 1 Deploy | 2026-02-10 | N/A | 8.8 HIGH |
|
Tanium addressed an improper input validation vulnerability in Deploy.
|
|||||
| CVE-2025-15327 | 1 Tanium | 1 Deploy | 2026-02-10 | N/A | 4.3 MEDIUM |
|
Tanium addressed an improper access controls vulnerability in Deploy.
|
|||||
| CVE-2025-15326 | 1 Tanium | 1 Patch | 2026-02-10 | N/A | 4.3 MEDIUM |
|
Tanium addressed an improper access controls vulnerability in Patch.
|
|||||
| CVE-2025-14895 | 2026-02-10 | N/A | 5.4 MEDIUM | ||
|
The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete analytics data including device types, browser information, countries, referrer URLs, and campaign metrics.
|
|||||
| CVE-2026-1722 | 2026-02-10 | N/A | 5.3 MEDIUM | ||
|
The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the p ...
Show More |
|||||