Export limit exceeded: 335114 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10670 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10670 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-38005 | 1 Ibm | 1 Cloud Pak System | 2026-02-20 | 4.3 Medium |
| IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls. | ||||
| CVE-2026-26977 | 1 Frappe | 2 Learning, Lms | 2026-02-20 | 5.3 Medium |
| Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release. | ||||
| CVE-2025-55238 | 1 Microsoft | 3 365, Dynamics 365, Dynamics 365 Fasttrack Implementation | 2026-02-20 | 7.5 High |
| Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability | ||||
| CVE-2025-53791 | 1 Microsoft | 1 Edge Chromium | 2026-02-20 | 4.7 Medium |
| Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | ||||
| CVE-2025-33056 | 1 Microsoft | 24 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 21 more | 2026-02-20 | 7.5 High |
| Improper access control in Microsoft Local Security Authority Server (lsasrv) allows an unauthorized attacker to deny service over a network. | ||||
| CVE-2025-54116 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2026-02-20 | 7.3 High |
| Improper access control in Windows MultiPoint Services allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-32722 | 1 Microsoft | 21 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 18 more | 2026-02-20 | 5.5 Medium |
| Improper access control in Windows Storage Port Driver allows an authorized attacker to disclose information locally. | ||||
| CVE-2025-32714 | 1 Microsoft | 24 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 21 more | 2026-02-20 | 7.8 High |
| Improper access control in Windows Installer allows an authorized attacker to elevate privileges locally. | ||||
| CVE-2025-54918 | 1 Microsoft | 28 Windows, Windows 10, Windows 10 1507 and 25 more | 2026-02-20 | 8.8 High |
| Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. | ||||
| CVE-2026-24740 | 2 Amir20, Amirraminfar | 2 Dozzle, Dozzle | 2026-02-19 | 9.9 Critical |
| Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue. | ||||
| CVE-2026-25229 | 1 Gogs | 1 Gogs | 2026-02-19 | 6.5 Medium |
| Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI (internal/route/repo/issue.go) fails to verify that the label being modified belongs to the repository specified in the URL path, enabling cross-repository label tampering attacks. The vulnerability exists in the Web UI's label update endpoint POST /:username/:reponame/labels/edit. The handler function UpdateLabel uses an incorrect database query function that bypasses repository ownership validation. This issue has been fixed in version 0.14.1. | ||||
| CVE-2025-70866 | 1 Lavalite | 2 Cms, Lavalite | 2026-02-19 | 8.8 High |
| LavaLite CMS 10.1.0 is vulnerable to Incorrect Access Control. An authenticated user with low-level privileges (User role) can directly access the admin backend by logging in through /admin/login. The vulnerability exists because the admin and user authentication guards share the same user provider without role-based access control verification. | ||||
| CVE-2026-25231 | 2 Error311, Filerise | 2 Filerise, Filerise | 2026-02-19 | 7.5 High |
| FileRise is a self-hosted web file manager / WebDAV server. Versions prior to 3.3.0, the application contains an unauthenticated file read vulnerability due to the lack of access control on the /uploads directory. Files uploaded to this directory can be accessed directly by any user who knows or can guess the file path, without requiring authentication. As a result, sensitive data could be exposed, and privacy may be breached. This vulnerability is fixed in 3.3.0. | ||||
| CVE-2026-25758 | 2 Spree, Spreecommerce | 2 Spree, Spree | 2026-02-19 | 7.5 High |
| Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2. | ||||
| CVE-2025-12884 | 2 Monetizemore, Wordpress | 2 Advanced Ads – ad Manager & Adsense, Wordpress | 2026-02-19 | 4.3 Medium |
| The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves. | ||||
| CVE-2025-4521 | 2 Themeatelier, Wordpress | 2 Idonate – Blood Donation, Request And Donor Management System, Wordpress | 2026-02-19 | 8.8 High |
| The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges. | ||||
| CVE-2025-15581 | 1 Orthanc-server | 1 Orthanc | 2026-02-19 | N/A |
| Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access. | ||||
| CVE-2025-61879 | 1 Infoblox | 1 Nios | 2026-02-19 | 7.7 High |
| In Infoblox NIOS through 9.0.7, a High-Privileged User Can Trigger an Arbitrary File Write via the Account Creation Mechanism. | ||||
| CVE-2026-25748 | 1 Goauthentik | 1 Authentik | 2026-02-19 | 8.6 High |
| authentik is an open-source identity provider. Prior to 2025.10.4 and 2025.12.4, with a malformed cookie it was possible to bypass authentication when using forward authentication in the authentik Proxy Provider when used in conjunction with Traefik or Caddy as reverse proxy. When a malicious cookie was used, none of the authentik-specific X-Authentik-* headers were set which depending on application can grant access to an attacker. authentik 2025.10.4 and 2025.12.4 fix this issue. | ||||
| CVE-2025-7630 | 1 Doruk Communication And Automation Industry And Trade Inc. | 1 Wispotter | 2026-02-19 | 5.3 Medium |
| Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, Brute Force.This issue affects Wispotter: from 1.0 before v2025.10.08.1. | ||||