Export limit exceeded: 363357 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Export limit exceeded: 11589 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (11589 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-3260 1 Grafana 1 Grafana 2026-04-15 8.3 High
A security vulnerability in the /apis/dashboard.grafana.app/* endpoints allows authenticated users to bypass dashboard and folder permissions. The vulnerability affects all API versions (v0alpha1, v1alpha1, v2alpha1). Impact: - Viewers can view all dashboards/folders regardless of permissions - Editors can view/edit/delete all dashboards/folders regardless of permissions - Editors can create dashboards in any folder regardless of permissions - Anonymous users with viewer/editor roles are similarly affected Organization isolation boundaries remain intact. The vulnerability only affects dashboard access and does not grant access to datasources.
CVE-2023-36512 2 Woo, Wordpress 2 Automatewoo, Wordpress 2026-04-15 6.5 Medium
Missing Authorization vulnerability in Woo AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.5.
CVE-2024-32797 2026-04-15 5.4 Medium
Missing Authorization vulnerability in Martin Gibson WP LinkedIn Auto Publish.This issue affects WP LinkedIn Auto Publish: from n/a through 8.11.
CVE-2024-42380 2026-04-15 4.3 Medium
The RFC enabled function module allows a low privileged user to read any user's workplace favourites and user menu along with all the specific data of each node. Usernames can be enumerated by exploiting vulnerability. There is low impact on confidentiality of the application.
CVE-2024-41729 2026-04-15 4.3 Medium
Due to missing authorization checks, SAP BEx Analyzer allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application.
CVE-2025-49459 3 Arm, Microsoft, Zoom 5 Arm, Windows, Workplace and 2 more 2026-04-15 7.8 High
Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6.5.0 may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2023-27437 2026-04-15 3.7 Low
Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf allows Functionality Misuse.This issue affects Event Espresso 4 Decaf: from n/a through 4.10.44.Decaf.
CVE-2020-36920 2026-04-15 8.8 High
iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references.
CVE-2025-23262 1 Nvidia 3 Connectx, Connectx-4, Connectx-5 2026-04-15 6.3 Medium
NVIDIA ConnectX contains a vulnerability in the management interface, where an attacker with local access could cause incorrect authorization to modify the configuration. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, and data tampering.
CVE-2025-23244 1 Nvidia 1 Gpu Display Driver 2026-04-15 7.8 High
NVIDIA GPU Display Driver for Linux contains a vulnerability which could allow an unprivileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
CVE-2025-42939 1 Sap 2 S/4hana, S4hana 2026-04-15 4.3 Medium
SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability.
CVE-2025-23190 2026-04-15 4.3 Medium
Due to missing authorization check, an authenticated attacker could call a remote-enabled function module which allows them to access data that they would otherwise not have access to. The attacker cannot modify data or impact the availability of the system.
CVE-2025-23189 2026-04-15 4.3 Medium
Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an authenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability
CVE-2024-12920 2026-04-15 8.8 High
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions in all versions up to, and including, 4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options.
CVE-2025-23187 2026-04-15 5.3 Medium
Due to missing authorization check in an RFC enabled function module in transaction SDCCN, an unauthenticated attacker could generate technical meta-data. This leads to a low impact on integrity. There is no impact on confidentiality or availability.
CVE-2024-32779 2026-04-15 5.3 Medium
Missing Authorization vulnerability in Avirtum Vision Interactive.This issue affects Vision Interactive: from n/a through 1.7.1.
CVE-2025-26661 2026-04-15 8.8 High
Due to missing authorization check, SAP NetWeaver (ABAP Class Builder) allows an attacker to gain higher access levels than they should have, resulting in escalation of privileges. On successful exploitation, this could result in disclosure of highly sensitive information. It could also have a high impact on the integrity and availability of the application.
CVE-2024-10567 1 Woocommerce 1 Woocommerce 2026-04-15 7.5 High
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates.
CVE-2025-11758 2 Codebangers, Wordpress 2 All In One Time Clock Lite, Wordpress 2026-04-15 6.5 Medium
The All in One Time Clock Lite plugin for WordPress is vulnerable to unauthorized access due to a missing authorization check in all versions up to, and including, 2.0.3. This is due to the plugin exposing admin-level AJAX actions to unauthenticated users via wp_ajax_nopriv_ hooks, while relying only on a nonce check without capability checks. This makes it possible for unauthenticated attackers to create published pages, create shift records with integrity issues, and download time reports containing PII (employee names and work schedules).
CVE-2026-26205 1 Open-policy-agent 1 Opa-envoy-plugin 2026-04-15 N/A
opa-envoy-plugun is a plugin to enforce OPA policies with Envoy. Versions prior to 1.13.2-envoy-2 have a vulnerability in how the `input.parsed_path` field is constructed. HTTP request paths are treated as full URIs when parsed; interpreting leading path segments prefixed with double slashes (`//`) as authority components, and therefore dropping them from the parsed path. This creates a path interpretation mismatch between authorization policies and backend servers, enabling attackers to bypass access controls by crafting requests where the authorization filter evaluates a different path than the one ultimately served. Version 1.13.2-envoy-2 fixes the issue.