Total
890 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-49111 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0. | |||||
| CVE-2026-49083 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Contributor Privilege Escalation in LatePoint <= 5.5.1 versions. | |||||
| CVE-2026-49063 | 2026-06-17 | N/A | 7.3 HIGH | ||
| Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions. | |||||
| CVE-2026-49060 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4. | |||||
| CVE-2026-48889 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Subscriber Privilege Escalation in Amelia <= 2.3 versions. | |||||
| CVE-2026-48879 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17. | |||||
| CVE-2026-48172 | 1 Litespeedtech | 2 Litespeed Cpanel Plugin, Litespeed Whm Plugin | 2026-06-17 | N/A | 9.8 CRITICAL |
| LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7. | |||||
| CVE-2026-47169 | 2026-06-17 | N/A | N/A | ||
| Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the selected role has Administrator and is below the bot’s highest role, the attacker can join with a controlled account and receive full server admin. This issue has been patched in version 1.0.3. | |||||
| CVE-2026-45216 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Incorrect Privilege Assignment vulnerability in StoreApps Smart Manager allows Privilege Escalation. This issue affects Smart Manager: from n/a through 8.85.0. | |||||
| CVE-2026-44997 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions. Attackers can exploit this by spawning child sessions that bypass subagent-only constraints, potentially escalating privileges or accessing restricted resources. | |||||
| CVE-2026-43535 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 6.8 MEDIUM |
| OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a more privileged sender's context, causing earlier messages to execute with elevated permissions. | |||||
| CVE-2026-42758 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through < 4.08.253. | |||||
| CVE-2026-42731 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9. | |||||
| CVE-2026-42680 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through 29.0.1. | |||||
| CVE-2026-42368 | 1 Geovision | 4 Gv-lpc2011, Gv-lpc2011 Firmware, Gv-lpc2211 and 1 more | 2026-06-17 | N/A | 9.9 CRITICAL |
| A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attacker can visit a webpage to trigger this vulnerability. | |||||
| CVE-2026-40869 | 1 Decidim | 1 Decidim | 2026-06-17 | N/A | 7.5 HIGH |
| Decidim is a participatory democracy framework. Starting in version 0.19.0 and prior to versions 0.30.5 and 0.31.1, a vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as people amending proposals are provided coauthorship on the coauthorable resources. Versions 0.30.5 and 0.31.1 fix the issue. As a workaround, disable amendment reactions for the amendable component (e.g. proposals). | |||||
| CVE-2026-3817 | 1 Pamzey | 1 Patients Waiting Area Queue Management System | 2026-06-17 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was detected in SourceCodester Patients Waiting Area Queue Management System 1.0. This issue affects some unknown processing of the file /patient-search.php. The manipulation results in improper authorization. The attack can be launched remotely. The exploit is now public and may be used. | |||||
| CVE-2026-3796 | 1 Qianxin | 1 Qax Internet Control Gateway | 2026-06-17 | 4.3 MEDIUM | 5.3 MEDIUM |
| A weakness has been identified in Qi-ANXIN QAX Virus Removal up to 2025-10-22. The affected element is the function ZwTerminateProcess in the library QKSecureIO_Imp.sys of the component Mini Filter Driver. Executing a manipulation can lead to improper access controls. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-3764 | 1 Lerouxyxchire | 1 Client Database Management System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in SourceCodester Client Database Management System 1.0. The impacted element is an unknown function of the file /superadmin_user_update.php. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-3762 | 1 Lerouxyxchire | 1 Client Database Management System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in SourceCodester Client Database Management System 1.0/3.1. Impacted is an unknown function of the file /superadmin_delete_manager.php of the component Endpoint. The manipulation of the argument manager_id leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||