Total
909 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-0583 | 1 Vektor-inc | 1 Vk Blocks | 2026-04-08 | N/A | 4.3 MEDIUM |
| The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'update_vk_blocks_options' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default icons. | |||||
| CVE-2021-4344 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2026-04-08 | N/A | 6.4 MEDIUM |
| The Frontend File Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 18.2. This is due to lacking mishandling the use of user IDs that is accessible by the visitor. This makes it possible for unauthenticated or authenticated attackers to access the information and privileges of other users, including 'guest users', in their own category (authenticated, or unauthenticated guests). | |||||
| CVE-2020-36696 | 1 Tychesoftwares | 1 Product Input Fields For Woocommerce | 2026-04-08 | N/A | 7.5 HIGH |
| The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download files from the vulnerable service. | |||||
| CVE-2017-20238 | 2026-04-07 | N/A | 7.1 HIGH | ||
| Hirschmann Industrial HiVision versions 06.0.00 and 07.0.00 prior to 06.0.06 and 07.0.01 contains an improper authorization vulnerability that allows read-only users to gain write access to managed devices by bypassing access control mechanisms. Attackers can exploit alternative interfaces such as the web interface or SNMP browser to modify device configurations despite having restricted permissions. | |||||
| CVE-2026-3237 | 1 Octopus | 1 Octopus Server | 2026-04-07 | N/A | 4.3 MEDIUM |
| In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability. | |||||
| CVE-2026-32213 | 1 Microsoft | 1 Azure Ai Foundry | 2026-04-06 | N/A | 10.0 CRITICAL |
| Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2026-33950 | 1 Signalk | 1 Signal K Server | 2026-04-06 | N/A | 9.4 CRITICAL |
| Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4. | |||||
| CVE-2026-33105 | 1 Microsoft | 1 Azure Kubernetes Service | 2026-04-06 | N/A | 10.0 CRITICAL |
| Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2026-32716 | 1 Scitokens | 1 Scitokens Library | 2026-04-03 | N/A | 8.1 HIGH |
| SciTokens is a reference library for generating and using SciTokens. Prior to version 1.9.6, the Enforcer incorrectly validates scope paths by using a simple prefix match (startswith). This allows a token with access to a specific path (e.g., /john) to also access sibling paths that start with the same prefix (e.g., /johnathan, /johnny), which is an Authorization Bypass. This issue has been patched in version 1.9.6. | |||||
| CVE-2026-4818 | 1 Search-guard | 1 Flx | 2026-04-03 | N/A | 6.8 MEDIUM |
| In Search Guard FLX versions from 3.0.0 up to 4.0.1, there exists an issue which allows users without the necessary privileges to execute some management operations against data streams. | |||||
| CVE-2026-20661 | 1 Apple | 2 Ipados, Iphone Os | 2026-04-02 | N/A | 4.6 MEDIUM |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3. An attacker with physical access to a locked device may be able to view sensitive user information. | |||||
| CVE-2026-20656 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2026-04-02 | N/A | 3.3 LOW |
| A logic issue was addressed with improved validation. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, macOS Tahoe 26.3. An app may be able to access a user's Safari history. | |||||
| CVE-2025-46289 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. An app may be able to access protected user data. | |||||
| CVE-2025-31255 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2026-04-02 | N/A | 9.8 CRITICAL |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 26 and iPadOS 26, macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26, tvOS 26, watchOS 26. An app may be able to access sensitive user data. | |||||
| CVE-2024-40814 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 7.1 HIGH |
| A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sonoma 14.6, macOS Ventura 13.7. An app may be able to bypass Privacy preferences. | |||||
| CVE-2024-40807 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| A logic issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. A shortcut may be able to use sensitive data with certain actions without prompting the user. | |||||
| CVE-2024-40783 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| The issue was addressed with improved restriction of data container access. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. A malicious application may be able to bypass Privacy preferences. | |||||
| CVE-2026-30878 | 1 Basercms | 1 Basercms | 2026-04-01 | N/A | 5.3 MEDIUM |
| baserCMS is a website development framework. Prior to version 5.2.3, a public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. This issue has been patched in version 5.2.3. | |||||
| CVE-2026-34738 | 1 Wwbn | 1 Avideo | 2026-04-01 | N/A | 4.3 MEDIUM |
| WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an overrideStatus request parameter that allows any uploader to set a video's status to any valid state, including "active" (a). This bypasses the admin-controlled moderation and draft workflows. The setStatus() method validates the status code against a list of known values but does not verify that the caller has permission to set that particular status. As a result, any user with upload permissions can publish videos directly, circumventing content review processes. At time of publication, there are no publicly available patches. | |||||
| CVE-2026-34784 | 1 Parseplatform | 1 Parse-server | 2026-04-01 | N/A | 7.5 HIGH |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1. | |||||