Export limit exceeded: 11505 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11505 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8839 | 2 Chrisrichardson, Wordpress | 2 Mappress Maps For Wordpress, Wordpress | 2026-06-06 | 5.3 Medium |
| The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author. | ||||
| CVE-2026-9851 | 2 Masaakitanaka, Wordpress | 2 Booking Package, Wordpress | 2026-06-06 | 7.2 High |
| The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover. | ||||
| CVE-2026-1619 | 2 Uni-yaz, Universal Software Inc. | 2 Flexcity, Flexcity/kiosk | 2026-06-06 | 8.3 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Universal Software Inc. FlexCity/Kiosk allows Exploitation of Trusted Identifiers. This issue affects FlexCity/Kiosk: from 1.0 before 1.0.36. | ||||
| CVE-2026-7399 | 1 Meware Software Development | 1 Pdks | 2026-06-06 | 8.1 High |
| Authorization bypass through User-Controlled key vulnerability in MeWare Software Development Inc. PDKS allows Privilege Abuse. This issue affects PDKS: from V16.20200313 before VMYR_3.5.2025117. | ||||
| CVE-2025-0606 | 1 Logo Software | 1 Logo Cloud | 2026-06-06 | 6 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Logo Software Inc. Logo Cloud allows Forceful Browsing, Resource Leak Exposure. This issue affects Logo Cloud: before 0.67. | ||||
| CVE-2025-0608 | 1 Logo Software | 1 Logo Cloud | 2026-06-06 | 5.5 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Logo Software Inc. Logo Cloud allows Phishing, Forceful Browsing. This issue affects Logo Cloud: before 2025.R6. | ||||
| CVE-2025-0640 | 1 Akinsoft | 1 Octocloud | 2026-06-06 | 4.7 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft OctoCloud allows Resource Leak Exposure. This issue affects OctoCloud: from s1.09.02 before v1.11.01. | ||||
| CVE-2025-0642 | 1 Poscube | 1 Assist | 2026-06-06 | 6.3 Medium |
| Use of Hard-coded Credentials, Authorization Bypass Through User-Controlled Key vulnerability in PosCube Hardware Software and Consulting Ltd. Co. Assist allows Excavation, Authentication Bypass. This issue affects Assist: through 10.02.2025. | ||||
| CVE-2025-0670 | 1 Akinsoft | 1 Prokuafor | 2026-06-06 | 4.7 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft ProKuafor allows Resource Leak Exposure. This issue affects ProKuafor: from s1.02.07 before v1.02.08. | ||||
| CVE-2025-0875 | 2026-06-06 | 6.5 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in PROLIZ Computer Software Hardware Service Trade Ltd. Co. OBS (Student Affairs Information System) allows Parameter Injection. This issue affects OBS (Student Affairs Information System): before v26.0328. | ||||
| CVE-2025-0987 | 1 Cb Project | 1 Cvland | 2026-06-06 | 9.9 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in CB Project Ltd. Co. CVLand allows Parameter Injection. This issue affects CVLand: from 2.1.0 through 20251103. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-1031 | 1 Utarit | 1 Soliclub | 2026-06-06 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Utarit Informatics Services Inc. SoliClub allows Functionality Misuse. This issue affects SoliClub: from 5.2.4 before 5.3.7. | ||||
| CVE-2025-1161 | 1 Nomysost | 1 Nomysem | 2026-06-06 | 7.1 High |
| Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation. This issue affects Nomysem: through May 2025. | ||||
| CVE-2025-1269 | 2026-06-06 | 4.8 Medium | ||
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in HAVELSAN Liman MYS allows Cross-Site Flashing. This issue affects Liman MYS: before 2.1.1 - 1010. | ||||
| CVE-2025-1469 | 2026-06-06 | 7.5 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers. This issue affects Eyotek: before 11.03.2025. | ||||
| CVE-2025-1885 | 1 Restajet | 1 Online Food Delivery System | 2026-06-06 | 5.4 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Restajet Information Technologies Inc. Online Food Delivery System allows Phishing, Forceful Browsing. This issue affects Online Food Delivery System: through 19122025. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-2301 | 2026-06-06 | 4.4 Medium | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Akbim Software Online Exam Registration allows Exploitation of Trusted Identifiers. This issue affects Online Exam Registration: before 14.03.2025. | ||||
| CVE-2025-2311 | 2026-06-06 | 9 Critical | ||
| Incorrect Use of Privileged APIs, Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in Sechard Information Technologies SecHard allows Authentication Bypass, Interface Manipulation, Authentication Abuse, Harvesting Information via API Event Monitoring. This issue affects SecHard: before 3.3.0.20220411. | ||||
| CVE-2026-11206 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-06-06 | 6.5 Medium |
| Insufficient policy enforcement in ServiceWorker in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2026-11184 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-06-06 | 6.3 Medium |
| Insufficient policy enforcement in Actor in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | ||||