Total
8121 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-5230 | 2026-06-17 | N/A | 7.1 HIGH | ||
| Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. | |||||
| CVE-2026-5228 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026. | |||||
| CVE-2026-5200 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known. | |||||
| CVE-2026-5175 | 1 Devolutions | 1 Devolutions Server | 2026-06-17 | N/A | 5.0 MEDIUM |
| Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from 2026.1.6 through 2026.1.11. | |||||
| CVE-2026-5163 | 1 Mattermost | 1 Mattermost Server | 2026-06-17 | N/A | 6.5 MEDIUM |
| Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645 | |||||
| CVE-2026-5146 | 1 Devolutions | 1 Devolutions Server | 2026-06-17 | N/A | 4.3 MEDIUM |
| Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier | |||||
| CVE-2026-5025 | 1 Langflow | 1 Langflow | 2026-06-17 | N/A | 6.5 MEDIUM |
| The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser'). | |||||
| CVE-2026-5022 | 1 Langflow | 1 Langflow | 2026-06-17 | N/A | 5.3 MEDIUM |
| The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name. | |||||
| CVE-2026-54190 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions. | |||||
| CVE-2026-53821 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 8.8 HIGH |
| OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execute admin-gated Gateway RPCs. | |||||
| CVE-2026-53820 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 6.6 MEDIUM |
| OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attackers can reach the affected bundled MCP session-spawn path to start sessions with broader command reach than intended. | |||||
| CVE-2026-53818 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 6.6 MEDIUM |
| OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable. | |||||
| CVE-2026-53816 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 7.2 HIGH |
| OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide. | |||||
| CVE-2026-53815 | 1 Openclaw | 1 Openclaw | 2026-06-17 | N/A | 6.5 MEDIUM |
| OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages. | |||||
| CVE-2026-53634 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that entity, as long as it had a Quick Creation Command handler configured. This issue has been patched in version 9.22.3. | |||||
| CVE-2026-53439 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 4.3 MEDIUM |
| Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views". | |||||
| CVE-2026-53438 | 1 Jenkins | 1 Jenkins | 2026-06-17 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allows attackers with Item/Cancel permission, but lacking Item/Read permission, to cancel queue items they do not have permission to view. | |||||
| CVE-2026-52714 | 2026-06-17 | N/A | 5.9 MEDIUM | ||
| Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions. | |||||
| CVE-2026-52711 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. | |||||
| CVE-2026-50244 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| The Naxclow platform exposes a registration endpoint that accepts signed requests containing a batch prefix and an arbitrary caller-supplied account identifier, without validating any ownership relationship. Each call mints a new sequential device identifier and returns the current high-water counter value for the batch, allowing callers to measure and enumerate the active device space. The endpoint’s behavior enables precise fleet enumeration. | |||||