Total
1688 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-49192 | 1 Acer | 2 Connect M6e 5g, Connect M6e 5g Firmware | 2026-06-04 | N/A | 5.4 MEDIUM |
| The summary service endpoint suffers from an IDOR vulnerability where it fails to verify user ownership of hardware serial numbers, exposing device data to scraping. | |||||
| CVE-2026-45810 | 1 Nextcloud | 1 Nextcloud Server | 2026-06-04 | N/A | 6.8 MEDIUM |
| Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3 | |||||
| CVE-2026-32589 | 1 Redhat | 2 Mirror Registry For Red Hat Openshift, Quay | 2026-06-04 | N/A | 7.4 HIGH |
| A flaw was found in Red Hat Quay's container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user's in-progress image upload. | |||||
| CVE-2026-10597 | 2026-06-04 | N/A | 5.3 MEDIUM | ||
| OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address. | |||||
| CVE-2025-14772 | 2026-06-04 | N/A | 8.8 HIGH | ||
| Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24. | |||||
| CVE-2026-7201 | 1 Progress | 1 Sitefinity | 2026-06-04 | N/A | 8.8 HIGH |
| CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users. | |||||
| CVE-2025-13004 | 1 Farktor | 1 E-commerce Package | 2026-06-04 | N/A | 6.3 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Manipulating User-Controlled Variables. This issue affects E-Commerce Package: through 27112025. | |||||
| CVE-2025-13003 | 2026-06-04 | N/A | 7.6 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Aksis Computer Services and Consulting Inc. AxOnboard allows Exploitation of Trusted Identifiers. This issue affects AxOnboard: from 3.2.0 before 3.3.0. | |||||
| CVE-2025-14101 | 2026-06-04 | N/A | 7.1 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers. This issue affects PaperWork: from 5.2.0.9427 before 6.0. | |||||
| CVE-2025-13474 | 2026-06-04 | N/A | 7.5 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers. This issue affects Mobile App: before 9.5.8. | |||||
| CVE-2025-13125 | 2026-06-04 | N/A | 4.3 MEDIUM | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Exploitation of Trusted Identifiers. This issue affects DijiDemi: through 28.11.2025. | |||||
| CVE-2025-13124 | 2026-06-04 | N/A | 7.6 HIGH | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Netiket Information Technologies Ltd. Co. ApplyLogic allows Exploitation of Trusted Identifiers. This issue affects ApplyLogic: through 01.12.2025. | |||||
| CVE-2026-37978 | 1 Redhat | 1 Build Of Keycloak | 2026-06-03 | N/A | 4.9 MEDIUM |
| A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API. | |||||
| CVE-2026-4630 | 1 Redhat | 1 Build Of Keycloak | 2026-06-03 | N/A | 6.8 MEDIUM |
| A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data. | |||||
| CVE-2026-45281 | 1 Nextcloud | 1 Nextcloud Server | 2026-06-03 | N/A | 8.1 HIGH |
| Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar. Therefore, the attacker must be an authenticated user. This is because of improper authorization controls in the backend of the calendar. If the attacker had access to the calendar, they would be able to view and modify it. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23 | |||||
| CVE-2026-47713 | 1 Mintplexlabs | 1 Anythingllm | 2026-06-03 | N/A | 2.0 LOW |
| AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0. | |||||
| CVE-2024-4341 | 1 Extremepacs | 1 Extreme Xds | 2026-06-03 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in ExtremePacs Extreme XDS allows Collect Data as Provided by Users. This issue affects Extreme XDS: before 3928. | |||||
| CVE-2024-3306 | 1 Utarit | 1 Soliclub | 2026-06-03 | N/A | 7.5 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Utarit Information SoliClub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android. | |||||
| CVE-2024-3305 | 1 Utarit | 1 Soliclub | 2026-06-03 | N/A | 7.5 HIGH |
| Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data. This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android. | |||||
| CVE-2024-1744 | 1 Accordors | 1 Accord Ors | 2026-06-03 | N/A | 7.5 HIGH |
| Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Ariva Computer Accord ORS allows Retrieve Embedded Sensitive Data. This issue affects Accord ORS: before 7.3.2.1. | |||||