Export limit exceeded: 14587 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 11588 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11588 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9484 | 1 Gitlab | 1 Gitlab | 2026-04-15 | 4.3 Medium |
| GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries. | ||||
| CVE-2026-39381 | 2 Parse Community, Parseplatform | 2 Parse Server, Parse-server | 2026-04-15 | 4.3 Medium |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75. | ||||
| CVE-2026-40189 | 2 Goshs, Patrickhener | 2 Goshs, Goshs | 2026-04-15 | 9.8 Critical |
| goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4. | ||||
| CVE-2019-16738 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2026-04-15 | 5.3 Medium |
| In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup. | ||||
| CVE-2018-11802 | 1 Apache | 1 Solr | 2026-04-15 | 4.3 Medium |
| In Apache Solr, the cluster can be partitioned into multiple collections and only a subset of nodes actually host any given collection. However, if a node receives a request for a collection it does not host, it proxies the request to a relevant node and serves the request. Solr bypasses all authorization settings for such requests. This affects all Solr versions prior to 7.7 that use the default authorization mechanism of Solr (RuleBasedAuthorizationPlugin). | ||||
| CVE-2025-15473 | 2 Timetics, Wordpress | 2 Timetics, Wordpress | 2026-04-15 | 4.3 Medium |
| The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type. | ||||
| CVE-2025-15445 | 2 Restaurant Cafeteria, Wordpress | 2 Restaurant Cafeteria, Wordpress | 2026-04-15 | 5.4 Medium |
| The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings. | ||||
| CVE-2024-10663 | 2026-04-15 | 4.3 Medium | ||
| The Eleblog – Elementor Blog And Magazine Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the goodbye_form_callback() function in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason. | ||||
| CVE-2025-69381 | 2 Vanquish, Wordpress | 2 Woocommerce Bulk Product Editor, Wordpress | 2026-04-15 | 7.1 High |
| Missing Authorization vulnerability in vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Product Editor: from n/a through <= 3.0. | ||||
| CVE-2025-69388 | 2 Cliengo, Wordpress | 2 Cliengo – Chatbot, Wordpress | 2026-04-15 | 6.5 Medium |
| Missing Authorization vulnerability in cliengo Cliengo – Chatbot cliengo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cliengo – Chatbot: from n/a through <= 3.0.4. | ||||
| CVE-2025-5483 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create new user accounts with the administrator role when the PRO functionality is enabled. | ||||
| CVE-2025-43007 | 2026-04-15 | 6.3 Medium | ||
| SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on confidentiality, integrity and availability of the application. | ||||
| CVE-2025-0885 | 2026-04-15 | N/A | ||
| Incorrect Authorization vulnerability in OpenText™ GroupWise allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow unauthorized access to calendar items marked private. This issue affects GroupWise versions 7 through 17.5, 23.4, 24.1, 24.2, 24.3, 24.4. | ||||
| CVE-2025-4046 | 1 Lexmark | 1 Cloud Services | 2026-04-15 | 8.5 High |
| A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization | ||||
| CVE-2025-33185 | 1 Nvidia | 1 Aistore | 2026-04-15 | 5.3 Medium |
| NVIDIA AIStore contains a vulnerability in AuthN where an unauthenticated user may cause information disclosure. A successful exploit of this vulnerability may lead to information disclosure. | ||||
| CVE-2025-53499 | 2026-04-15 | 9.1 Critical | ||
| Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2. | ||||
| CVE-2024-12535 | 2026-04-15 | 8.6 High | ||
| The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited. | ||||
| CVE-2024-50967 | 2026-04-15 | 6.5 Medium | ||
| The /rest/rights/ REST API endpoint in Becon DATAGerry through 2.2.0 contains an Incorrect Access Control vulnerability. An attacker can remotely access this endpoint without authentication, leading to unauthorized disclosure of sensitive information. | ||||
| CVE-2024-1229 | 2 Redbit Sro, Wordpress | 2 Simple Shop, Wordpress | 2026-04-15 | 5.3 Medium |
| The SimpleShop plugin for WordPress is vulnerable to unauthorized disconnection from SimpleShop due to a missing capability check on the maybe_disconnect_simpleshop function in all versions up to, and including, 2.10.2. This makes it possible for unauthenticated attackers to disconnect the SimpleShop. | ||||
| CVE-2023-41656 | 3 Elementor, Wordpress, Wpdive | 3 Elementor, Wordpress, Better Addons For Elementor | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7. | ||||