Total
7472 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-1722 | 2026-02-10 | N/A | 5.3 MEDIUM | ||
| The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.0. This is due to the plugin not implementing authorization checks in the `wcfm-refund-requests-form` AJAX controller. This makes it possible for unauthenticated attackers to create arbitrary refund requests for any order ID and item ID, potentially leading to financial loss if automatic refund approval is enabled in the plugin settings. | |||||
| CVE-2026-1745 | 1 Oretnom23 | 1 Medical Certificate Generator App | 2026-02-10 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2026-25752 | 1 Frangoteam | 1 Fuxa | 2026-02-10 | N/A | 9.1 CRITICAL |
| FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | |||||
| CVE-2026-24095 | 2026-02-09 | N/A | N/A | ||
| Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p21, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows users with the "Use WATO" permission to access the "Analyze configuration" page by directly navigating to its URL, bypassing the intended "Access analyze configuration" permission check. If these users also have the "Make changes, perform actions" permission, they can perform unauthorized actions such as disabling checks or acknowledging results. | |||||
| CVE-2025-2848 | 1 Synology | 2 Diskstation Manager, Mail Server | 2026-02-09 | N/A | 6.3 MEDIUM |
| A vulnerability in Synology Mail Server allows remote authenticated attackers to read and write non-sensitive settings, and disable some non-critical functions. | |||||
| CVE-2025-15476 | 2026-02-09 | N/A | 4.3 MEDIUM | ||
| The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items. | |||||
| CVE-2026-1153 | 1 Technical-laohu | 1 Mpay | 2026-02-06 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. | |||||
| CVE-2025-10753 | 2026-02-06 | N/A | 5.3 MEDIUM | ||
| The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly. | |||||
| CVE-2025-27461 | 1 Endress | 2 Meac300-fnade4, Meac300-fnade4 Firmware | 2026-02-06 | N/A | 7.6 HIGH |
| During startup, the device automatically logs in the EPC2 Windows user without requesting a password. | |||||
| CVE-2026-23875 | 1 Crawlchat | 1 Crawlchat | 2026-02-05 | N/A | 5.4 MEDIUM |
| CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat's Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection's knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue. | |||||
| CVE-2026-25028 | 2026-02-05 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.1. | |||||
| CVE-2025-14079 | 2026-02-05 | N/A | 5.3 MEDIUM | ||
| The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action. | |||||
| CVE-2025-13416 | 2026-02-05 | N/A | 4.3 MEDIUM | ||
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action. | |||||
| CVE-2025-63294 | 1 Workdo | 1 Hrm Saas | 2026-02-04 | N/A | 6.5 MEDIUM |
| WorkDo HRM SaaS HR and Payroll Tool 8.1 is affected vulnerable to Insecure Permissions. An authenticated user can create leave or resignation records on behalf of other users. | |||||
| CVE-2026-0572 | 2026-02-04 | N/A | 6.5 MEDIUM | ||
| The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webpurify_save_options' function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings. | |||||
| CVE-2026-1835 | 2026-02-04 | 5.0 MEDIUM | 4.3 MEDIUM | ||
| A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | |||||
| CVE-2025-54159 | 1 Synology | 1 Beedrive | 2026-02-04 | N/A | 7.5 HIGH |
| Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors. | |||||
| CVE-2026-1751 | 1 Gitlab | 1 Gitlab | 2026-02-04 | N/A | 3.1 LOW |
| A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions. | |||||
| CVE-2025-48784 | 1 Scshr | 1 Hr Portal | 2026-02-04 | N/A | 7.5 HIGH |
| A missing authorization vulnerability in Soar Cloud HRD Human Resource Management System through version 7.3.2025.0408 allows remote attackers to modify system settings without prior authorization. | |||||
| CVE-2026-24951 | 2026-02-03 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3. | |||||