Total
890 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-39470 | 2026-06-17 | N/A | 7.2 HIGH | ||
| Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions. | |||||
| CVE-2026-35671 | 2026-06-17 | N/A | 8.8 HIGH | ||
| phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without authorization verification. An attacker with low-privilege admin credentials can escalate to SuperAdmin by modifying the userId parameter in the overwrite-password API request. | |||||
| CVE-2026-35062 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An authenticated iControl SOAP user may be able to obtain information of other accounts. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2026-34901 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions. | |||||
| CVE-2026-33519 | 4 Esri, Kubernetes, Linux and 1 more | 4 Portal For Arcgis, Kubernetes, Linux Kernel and 1 more | 2026-06-17 | N/A | 9.8 CRITICAL |
| An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials. | |||||
| CVE-2026-33518 | 3 Esri, Linux, Microsoft | 3 Portal For Arcgis, Linux Kernel, Windows | 2026-06-17 | N/A | 9.8 CRITICAL |
| An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected. | |||||
| CVE-2026-32922 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 9.9 CRITICAL |
| OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to constrain newly minted scopes to the caller's current scope set. Attackers can obtain operator.admin tokens for paired devices and achieve remote code execution on connected nodes via system.run or gain unauthorized gateway-admin access. | |||||
| CVE-2026-32916 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 9.4 CRITICAL |
| OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to plugin-owned routes can invoke runtime.subagent methods to perform privileged gateway actions including session deletion and agent execution. | |||||
| CVE-2026-32530 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18. | |||||
| CVE-2026-32520 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through <= 1.0.4. | |||||
| CVE-2026-32519 | 2026-06-17 | N/A | 9.0 CRITICAL | ||
| Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2. | |||||
| CVE-2026-32488 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through <= 4.4.9. | |||||
| CVE-2026-2983 | 1 Munyweki | 1 Student Result Management System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was determined in SourceCodester Student Result Management System 1.0. The impacted element is an unknown function of the file /admin/core/import_users.php of the component Bulk Import. This manipulation of the argument File causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-2938 | 1 Munyweki | 1 Student Result Management System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in SourceCodester Student Result Management System 1.0. The affected element is an unknown function of the file /srms/script/admin/core/update_smtp.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-2896 | 1 Funadmin | 1 Funadmin | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-2860 | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2852 | 1 Yeqifu | 1 Warehouse | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This issue affects the function addSales/updateSales/deleteSales of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\SalesController.java of the component Sales Endpoint. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2851 | 1 Yeqifu | 1 Warehouse | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was determined in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addInport/updateInport/deleteInport of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\InportController.java of the component Inport Endpoint. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2850 | 1 Yeqifu | 1 Warehouse | 2026-06-17 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addCustomer/updateCustomer/deleteCustomer of the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\CustomerController.java of the component Customer Endpoint. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2026-2849 | 1 Yeqifu | 1 Warehouse | 2026-06-17 | 5.5 MEDIUM | 5.4 MEDIUM |
| A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function deleteCache/removeAllCache/syncCache of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\CacheController.java of the component Cache Sync Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | |||||