Export limit exceeded: 21513 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10554 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10554 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9194 | 1 Wordpress | 1 Wordpress | 2026-04-20 | 4.3 Medium |
| The Constructor theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clean() function in all versions up to, and including, 1.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a theme clean. | ||||
| CVE-2025-9243 | 2 Stylemixthemes, Wordpress | 2 Cost Calculator Builder, Wordpress | 2026-04-20 | 8.1 High |
| The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status. | ||||
| CVE-2025-9029 | 2 Posimyththemes, Wordpress | 2 Wdesignkit, Wordpress | 2026-04-20 | 4.3 Medium |
| The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services. | ||||
| CVE-2025-8593 | 2 Westerndeal, Wordpress | 2 Gsheetconnector For Gravity Forms, Wordpress | 2026-04-20 | 8.8 High |
| The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions. | ||||
| CVE-2026-35061 | 1 Anviz | 1 Anviz Cx7 Firmware | 2026-04-20 | 5.3 Medium |
| Anviz CX7 Firmware is vulnerable to the most recently captured test photo that can be retrieved without authentication, revealing sensitive operational imagery. | ||||
| CVE-2026-32648 | 1 Anviz | 2 Anviz Cx2 Lite Firmware, Anviz Cx7 Firmware | 2026-04-20 | 5.3 Medium |
| Anviz CX2 Lite and CX7 are vulnerable to unauthenticated access that discloses debug configuration details (e.g., SSH/RTTY status), assisting attackers in reconnaissance against the device. | ||||
| CVE-2026-33093 | 1 Anviz | 1 Anviz Cx7 Firmware | 2026-04-20 | 5.3 Medium |
| Anviz CX7 Firmware is vulnerable to an unauthenticated POST to the device that captures a photo with the front facing camera, exposing visual information about the deployment environment. | ||||
| CVE-2025-13480 | 1 Fudo Security | 1 Fudo Enterprise | 2026-04-20 | N/A |
| Fudo Enterprise in versions from 5.5.0 through 5.6.2 allows low privileged users to access certain administrator-only resources via improperly protected API endpoints. This includes sensitive information such as system logs and parts of system configuration settings. This vulnerability has been fixed in version 5.6.3 | ||||
| CVE-2026-40350 | 1 Leepeuker | 1 Movary | 2026-04-20 | 8.8 High |
| Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue. | ||||
| CVE-2026-40155 | 1 Auth0 | 1 Nextjs-auth0 | 2026-04-20 | 5.4 Medium |
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0. | ||||
| CVE-2026-40474 | 1 Wger-project | 1 Wger | 2026-04-20 | 7.6 High |
| wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead of WgerPermissionMixin, so the permission is never enforced at runtime. Since GymConfig is an ownerless singleton, any authenticated user can modify the global gym configuration, triggering save() side effects that bulk-update user profile gym assignments — a vertical privilege escalation to installation-wide configuration control. This issue is fixed in version 2.5. | ||||
| CVE-2026-40349 | 1 Leepeuker | 1 Movary | 2026-04-20 | 8.8 High |
| Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user ID. The endpoint is intended to let a user edit their own profile, but it updates the sensitive `isAdmin` field without any admin-only authorization check. Version 0.71.1 patches the issue. | ||||
| CVE-2025-7782 | 2 Wordpress, Wp-jobhunt Project | 2 Wordpress, Wp-jobhunt | 2026-04-20 | 7.6 High |
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user. | ||||
| CVE-2025-5919 | 2 Arraytics, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2026-04-20 | 6.5 Medium |
| The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details. | ||||
| CVE-2026-40480 | 1 Churchcrm | 1 Churchcrm | 2026-04-20 | N/A |
| ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/{personId} endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson() restrictions, the API layer omits this check. Any authenticated user with only EditSelf privileges can enumerate and read other members' records, exposing sensitive PII including names, addresses, phone numbers, and email addresses. This issue has been fixed in version 7.2.0. | ||||
| CVE-2026-40581 | 1 Churchcrm | 1 Churchcrm | 2026-04-20 | 8.1 High |
| ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0. | ||||
| CVE-2026-33866 | 2 Lfprojects, Mlflow | 2 Mlflow, Mlflow | 2026-04-20 | 4.3 Medium |
| MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1 | ||||
| CVE-2025-0237 | 2 Mozilla, Redhat | 8 Firefox, Thunderbird, Enterprise Linux and 5 more | 2026-04-20 | 5.4 Medium |
| The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6. | ||||
| CVE-2026-35175 | 1 Ajenti | 1 Ajenti | 2026-04-20 | 6.5 Medium |
| Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser. This vulnerability is fixed in 2.2.15. | ||||
| CVE-2026-21721 | 1 Grafana | 2 Grafana, Grafana Enterprise | 2026-04-20 | 8.1 High |
| The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization‑internal privilege escalation. | ||||