Total
6607 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2552 | 1 Awesomemotive | 1 Duplicator | 2026-02-02 | N/A | 5.3 MEDIUM |
| The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. | |||||
| CVE-2026-24139 | 1 Franklioxygen | 1 Mytube | 2026-02-02 | N/A | 6.5 MEDIUM |
| MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view. | |||||
| CVE-2025-70985 | 1 Ruoyi | 1 Ruoyi | 2026-01-30 | N/A | 9.1 CRITICAL |
| Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope. | |||||
| CVE-2025-70986 | 1 Ruoyi | 1 Ruoyi | 2026-01-30 | N/A | 7.5 HIGH |
| Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. | |||||
| CVE-2026-22461 | 2026-01-30 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CTX Feed: from n/a through <= 6.6.18. | |||||
| CVE-2025-68479 | 1 Discourse | 1 Discourse | 2026-01-30 | N/A | 7.1 HIGH |
| Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | |||||
| CVE-2023-3426 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2026-01-30 | N/A | 4.3 MEDIUM |
| The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. | |||||
| CVE-2026-21865 | 1 Discourse | 1 Discourse | 2026-01-30 | N/A | 6.5 MEDIUM |
| Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn't have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the "personal message enabled groups" site setting until the Discourse instance has been upgraded to a version that has been patched. | |||||
| CVE-2022-47425 | 1 Reputeinfosystems | 1 Armember | 2026-01-30 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember: from n/a through 3.4.10. | |||||
| CVE-2026-1148 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-01-30 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely. | |||||
| CVE-2026-24421 | 1 Phpmyfaq | 1 Phpmyfaq | 2026-01-30 | N/A | 6.5 MEDIUM |
| phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. | |||||
| CVE-2025-65098 | 1 Typebot | 1 Typebot | 2026-01-30 | N/A | 7.4 HIGH |
| Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | |||||
| CVE-2025-54943 | 1 Sun.net | 1 Ehrd Ctms | 2026-01-30 | N/A | 9.8 CRITICAL |
| A missing authorization vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to perform unauthorized application deployment due to the absence of proper access control checks. | |||||
| CVE-2025-5885 | 1 Konicaminolta | 1 Bizhub | 2026-01-30 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability has been found in Konica Minolta bizhub up to 20250202 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-20888 | 1 Gitea | 1 Gitea | 2026-01-29 | N/A | 4.3 MEDIUM |
| Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | |||||
| CVE-2025-68547 | 1 Wpwebelite | 1 Follow My Blog Post | 2026-01-29 | N/A | 7.5 HIGH |
| Missing Authorization vulnerability in WPweb Follow My Blog Post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Follow My Blog Post: from n/a through 2.4.0. | |||||
| CVE-2025-68003 | 2026-01-29 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10. | |||||
| CVE-2025-67956 | 2026-01-29 | N/A | 8.2 HIGH | ||
| Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6. | |||||
| CVE-2025-66532 | 1 Qodeinteractive | 1 Powerlift | 2026-01-29 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in Mikado-Themes Powerlift powerlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Powerlift: from n/a through < 3.2.1. | |||||
| CVE-2026-1054 | 2026-01-29 | N/A | 5.3 MEDIUM | ||
| The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles. | |||||