Total
1688 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-8337 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | N/A | 5.3 MEDIUM |
| Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec https://github.com/Zee99y for reporting | |||||
| CVE-2026-8204 | 1 Concretecms | 1 Concrete Cms | 2026-05-26 | N/A | 5.3 MEDIUM |
| Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | |||||
| CVE-2026-41471 | 2026-05-26 | N/A | 7.5 HIGH | ||
| The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. | |||||
| CVE-2026-39968 | 2026-05-26 | N/A | 7.1 HIGH | ||
| TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 ("Credential Theft via Client-Side Script Execution and API Authorization Bypass") is incomplete. While the builder's getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine's getCredentials() utility function uses a falsy check (if (workspaceId && ...)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: "" to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach. | |||||
| CVE-2026-45760 | 2026-05-23 | N/A | 8.1 HIGH | ||
| (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue. | |||||
| CVE-2026-7886 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A | 4.3 MEDIUM |
| Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won't be able to view the file. | |||||
| CVE-2026-7881 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A | 4.3 MEDIUM |
| Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | |||||
| CVE-2026-8347 | 1 Concretecms | 1 Concrete Cms | 2026-05-22 | N/A | 4.3 MEDIUM |
| Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | |||||
| CVE-2026-9248 | 1 Devolutions | 1 Devolutions Server | 2026-05-22 | N/A | 2.6 LOW |
| Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | |||||
| CVE-2026-28444 | 2026-05-22 | N/A | 6.5 MEDIUM | ||
| Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim's resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2. | |||||
| CVE-2026-3473 | 1 Mattermost | 1 Mattermost Server | 2026-05-22 | N/A | 5.9 MEDIUM |
| Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620 | |||||
| CVE-2026-8679 | 2026-05-22 | N/A | 7.5 HIGH | ||
| The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status. | |||||
| CVE-2023-2713 | 1 Rental Module Project | 1 Rental Module | 2026-05-22 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass. This issue affects Rental Module: before 23.05.15. | |||||
| CVE-2023-2702 | 1 Finexmedia | 1 Competition Management System | 2026-05-22 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass. This issue affects Competition Management System: before 23.07. | |||||
| CVE-2023-2065 | 1 Armoli | 1 Cargo Tracking System | 2026-05-22 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass. This issue affects Cargo Tracking System: before 3558f28 . | |||||
| CVE-2023-2958 | 1 Orjinyazilim | 1 Ats Pro | 2026-05-22 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass. This issue affects ATS Pro: before 20230714. | |||||
| CVE-2023-2883 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2026-05-22 | N/A | 8.8 HIGH |
| Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass. This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | |||||
| CVE-2023-3048 | 1 Tmtmakine | 2 Lockcell, Lockcell Firmware | 2026-05-22 | N/A | 9.8 CRITICAL |
| Authorization Bypass Through User-Controlled Key vulnerability in TMT Lockcell allows Authentication Abuse, Authentication Bypass. This issue affects Lockcell: before 15. | |||||
| CVE-2025-13479 | 2026-05-21 | N/A | 7.5 HIGH | ||
| Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-9152 | 2026-05-21 | N/A | N/A | ||
| A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's identifier can interact with that workspace's search index, crossing tenant boundaries. Successful exploitation allows reading a workspace's indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected. | |||||