Total
4157 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-7862 | 2026-05-28 | N/A | 8.6 HIGH | ||
| The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account. | |||||
| CVE-2026-44277 | 1 Fortinet | 1 Fortiauthenticator | 2026-05-28 | N/A | 9.8 CRITICAL |
| A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted requests. | |||||
| CVE-2025-43451 | 1 Apple | 1 Macos | 2026-05-27 | N/A | 5.5 MEDIUM |
| A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | |||||
| CVE-2026-49002 | 2026-05-27 | N/A | 9.1 CRITICAL | ||
| Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and modifying configuration information. | |||||
| CVE-2025-46307 | 1 Apple | 1 Macos | 2026-05-27 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data. | |||||
| CVE-2025-9973 | 1 Wso2 | 1 Identity Server | 2026-05-27 | N/A | 6.4 MEDIUM |
| Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations. A malicious actor with privileges to configure adaptive authentication within one organization can leverage this functionality to execute authentication logic on other organizations and sub-organizations. This flaw allows bypassing authorization boundaries between organizations, leading to unauthorized access to critical operations and user accounts in other organizations. When adaptive authentication is enabled in a multi-organization deployment, a malicious actor with privileges to configure adaptive authentication in one organization could exploit this feature to perform critical operations in other organizations without authorization. This may result in privilege escalation, unauthorized access to resources, and potential account takeover across organizations. | |||||
| CVE-2026-44730 | 1 Citeum | 1 Opencti | 2026-05-27 | N/A | 7.2 HIGH |
| OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. This is due to incorrect ACL on userEdit relationAdd. This vulnerability is fixed in 6.9.7. | |||||
| CVE-2026-9579 | 2026-05-27 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument userIdentity results in improper access controls. The attack may be launched remotely. The exploit has been made public and could be used. Upgrading to version 3.9.2 is recommended to address this issue. The affected component should be upgraded. | |||||
| CVE-2026-9604 | 2026-05-27 | 4.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 3.9.2 is able to resolve this issue. The affected component should be upgraded. | |||||
| CVE-2026-9580 | 2026-05-27 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. Upgrading to version 3.9.2 is sufficient to fix this issue. It is suggested to upgrade the affected component. | |||||
| CVE-2026-48898 | 1 Joomla | 1 Joomla\! | 2026-05-26 | N/A | 9.8 CRITICAL |
| An improper access check allows privilege escalation through the com_users batch task. | |||||
| CVE-2026-48899 | 1 Joomla | 1 Joomla\! | 2026-05-26 | N/A | 9.8 CRITICAL |
| An improper access check allows privilege escalation through the com_users batch task. | |||||
| CVE-2026-48900 | 1 Joomla | 1 Joomla\! | 2026-05-26 | N/A | 4.3 MEDIUM |
| An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | |||||
| CVE-2026-48904 | 1 Joomla | 1 Joomla\! | 2026-05-26 | N/A | 9.8 CRITICAL |
| An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | |||||
| CVE-2026-41999 | 1 Powerdns | 1 Authoritative | 2026-05-26 | N/A | 4.8 MEDIUM |
| Incorrect Behaviour of Views with TCP PROXY Requests | |||||
| CVE-2026-9495 | 2026-05-26 | N/A | 7.3 HIGH | ||
| Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization. | |||||
| CVE-2026-9349 | 2026-05-26 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument cancelledBy/rescheduledBy causes information disclosure. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-9374 | 2026-05-26 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-9421 | 2026-05-26 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was determined in KLiK SocialMediaWebsite 1.0. This vulnerability affects the function uniqid of the file upload.inc.php of the component File Handler. This manipulation causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-9352 | 2026-05-26 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function _make_run_env of the file tools/environments/local.py of the component Messaging Gateway Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||