Total
8119 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-48971 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Import Export for WooCommerce: from n/a through 2.5.6. | |||||
| CVE-2026-48969 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions. | |||||
| CVE-2026-48887 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions. | |||||
| CVE-2026-48883 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions. | |||||
| CVE-2026-48881 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions. | |||||
| CVE-2026-48873 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions. | |||||
| CVE-2026-48835 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions. | |||||
| CVE-2026-48811 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221. | |||||
| CVE-2026-48709 | 2026-06-17 | N/A | 3.7 LOW | ||
| OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0. | |||||
| CVE-2026-48592 | 2026-06-17 | N/A | N/A | ||
| Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution. The handle_event("save-job", ...) handler in 'Elixir.Oban.Web.Jobs.DetailComponent' does not perform an authorization check, unlike the sibling cancel, delete, and retry handlers which all verify the caller's privileges via can?/2. An authenticated user with :read_only access can push a forged save-job LiveView WebSocket event to overwrite a job's worker field with any other existing Oban.Worker module in the application. On the job's next execution attempt, Oban will invoke perform/1 on the attacker-chosen module instead of the intended one. This issue affects oban_web: from 2.12.0 before 2.12.5. | |||||
| CVE-2026-48151 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the body schema for a known webhook and mutate the corresponding automation trigger output schema. This vulnerability is fixed in 3.39.0. | |||||
| CVE-2026-48119 | 2026-06-17 | N/A | 7.1 HIGH | ||
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.12, authenticated agents can forge service-monitor results for other users' services. This issue has been patched in version 2.0.12. | |||||
| CVE-2026-47745 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable, disable, edit, delete) that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could disable every payment method on the store, disable or alter the default currency, or disable carriers. The impact is a full denial of checkout and pricing integrity loss, reachable by any authenticated user. This vulnerability is fixed in 2.8.0. | |||||
| CVE-2026-47742 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Sub-form Livewire components used in the product editor (Edit, Inventory, Seo, Shipping, Files) had no authorization on their store() method. Any authenticated panel user, regardless of role, could mutate any product's pricing, stock, SEO metadata, shipping dimensions, and attached media without holding edit_products. The affected components accepted the product ID as a public Livewire property without #[Locked], so an attacker could also target an arbitrary product by tampering with the wire payload from the client. This vulnerability is fixed in 2.8.0. | |||||
| CVE-2026-47740 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark complete, capture payment, archive, and start processing were callable with the read-only read_orders permission and did not require edit_orders. capturePayment could trigger an actual PSP capture (real funds movement). The order shipments table actions mark delivered and edit tracking were callable with the read-only browse_orders permission. A user with read access to orders could therefore alter the lifecycle of every order in the panel and trigger real-world payment captures. This vulnerability is fixed in 2.8.0. | |||||
| CVE-2026-47728 | 2026-06-17 | N/A | 4.3 MEDIUM | ||
| Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0. | |||||
| CVE-2026-47352 | 2026-06-17 | N/A | N/A | ||
| Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | |||||
| CVE-2026-47351 | 2026-06-17 | N/A | N/A | ||
| Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2. | |||||
| CVE-2026-47350 | 2026-06-17 | N/A | N/A | ||
| Backend users were able to move records to a different page without having edit permissions on the source page. This issue affects TYPO3 CMS versions 13.0.0-13.4.31 and 14.0.0-14.3.3. | |||||
| CVE-2026-47349 | 2026-06-17 | N/A | N/A | ||
| Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3. | |||||