Total
42 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-13129 | 2026-06-04 | N/A | 4.3 MEDIUM | ||
| Improper Enforcement of Behavioral Workflow vulnerability in Seneka Software Hardware Information Technology Trade Contracting and Industry Ltd. Co. Onaylarım allows Functionality Misuse. This issue affects Onaylarım: from 25.09.26.01 through 18112025. | |||||
| CVE-2024-13065 | 2026-06-01 | N/A | 6.3 MEDIUM | ||
| Improper Enforcement of Behavioral Workflow, Uncontrolled Resource Consumption vulnerability in Akinsoft MyRezzta allows Input Data Manipulation, CAPEC - 125 - Flooding. This issue affects MyRezzta: from s2.02.02 before v2.05.01. | |||||
| CVE-2026-45023 | 2026-05-29 | N/A | 5.4 MEDIUM | ||
| AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to 0.6.59, POST /api/blocks/{block_id}/execute endpoint executes blocks without consuming any credits, regardless of the user's balance. The credit check that exists in the graph execution path (manager.py) is never reached when blocks are called directly via the external API, allowing unlimited free execution of all blocks. This vulnerability is fixed in 0.6.59. | |||||
| CVE-2026-8477 | 1 Devolutions | 1 Devolutions Server | 2026-05-22 | N/A | 2.7 LOW |
| Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | |||||
| CVE-2026-42246 | 1 Ruby-lang | 1 Net\ | 2026-05-18 | N/A | 7.4 HIGH |
| Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4. | |||||
| CVE-2026-43937 | 2026-05-13 | N/A | 8.8 HIGH | ||
| YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. The most impactful abuse is /Admin/RunSql, whose OnPostRunQuery binds Editor from the POST body and passes it straight to IDbAccess.RunSql with no caller check, yielding arbitrary SQL execution for any low-privileged user. This vulnerability is fixed in 4.0.5. | |||||
| CVE-2026-42303 | 2026-05-13 | N/A | N/A | ||
| Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment. This vulnerability is fixed in 2.83.2. | |||||
| CVE-2025-13239 | 1 Bdtask | 1 Isshue | 2026-04-29 | 4.0 MEDIUM | 4.3 MEDIUM |
| A security vulnerability has been detected in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution 5. Affected by this issue is some unknown functionality of the file /submit_checkout. Such manipulation of the argument order_total_amount/cart_total_amount leads to enforcement of behavioral workflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-41259 | 1 Joinmastodon | 1 Mastodon | 2026-04-28 | N/A | 7.5 HIGH |
| Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and performs basic validation on e-mail addresses, but fails to restrict characters that are interpreted differently by some mailing servers. This vulnerability is fixed in v4.5.9, v4.4.16, and v4.3.22. | |||||
| CVE-2026-34582 | 1 Botan Project | 1 Botan | 2026-04-17 | N/A | 9.1 CRITICAL |
| Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1. | |||||
| CVE-2024-37296 | 2026-04-15 | N/A | 5.3 MEDIUM | ||
| The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment didn't succeed. Versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5 fix this issue. | |||||
| CVE-2025-58051 | 2026-04-15 | N/A | 6.5 MEDIUM | ||
| Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5. | |||||
| CVE-2024-12543 | 2026-04-15 | N/A | N/A | ||
| User Enumeration and Data Integrity in Barcode functionality in OpenText Content Management versions 24.3-25.1on Windows and Linux allows a malicous authenticated attacker to potentially alter barcode attributes. | |||||
| CVE-2024-44128 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 5.5 MEDIUM |
| This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sequoia 15, macOS Sonoma 14.7, macOS Ventura 13.7. An Automator Quick Action workflow may be able to bypass Gatekeeper. | |||||
| CVE-2026-30574 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2026-03-31 | N/A | 7.5 HIGH |
| A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0 in the add-sales.php file. The application fails to verify if the requested sales quantity (txtqty) exceeds the available stock level. An attacker can manipulate the request to purchase a quantity that is significantly higher than the actual available stock. | |||||
| CVE-2026-30783 | 5 Apple, Google, Linux and 2 more | 6 Iphone Os, Macos, Android and 3 more | 2026-03-25 | N/A | 9.8 CRITICAL |
| A vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android, WebClient (Client signaling, API sync loop, config management modules) allows Privilege Abuse. This vulnerability is associated with program files src/rendezvous_mediator.Rs, src/hbbs_http/sync.Rs and program routines API sync loop, api-server config handling. This issue affects RustDesk Client: through 1.4.5. | |||||
| CVE-2025-13459 | 3 Ibm, Linux, Microsoft | 3 Aspera Console, Linux Kernel, Windows | 2026-03-17 | N/A | 2.7 LOW |
| IBM Aspera Console 3.3.0 through 3.4.8 could allow a privileged user to cause a denial of service due to improper enforcement of behavioral workflow. | |||||
| CVE-2026-3130 | 1 Devolutions | 1 Devolutions Server | 2026-03-04 | N/A | 9.8 CRITICAL |
| Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion. | |||||
| CVE-2025-52469 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 7.1 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. The attacker can bypass the normal flow of sending and accepting friend requests, and even add non-existent users. This breaks access control and social interaction logic, with potential privacy implications. This issue has been patched in version 1.11.30. | |||||
| CVE-2026-24774 | 1 Gunet | 1 Open Eclass Platform | 2026-02-10 | N/A | 4.3 MEDIUM |
| The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark themselves as present in attendance activities, including activities that have already expired, by directly accessing a crafted URL. This issue has been patched in version 4.2. | |||||