Total
8045 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-34892 | 2026-06-15 | N/A | 6.5 MEDIUM | ||
| Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions. | |||||
| CVE-2026-40794 | 2026-06-15 | N/A | 6.5 MEDIUM | ||
| Subscriber Broken Access Control in myCred <= 3.0.3 versions. | |||||
| CVE-2026-34898 | 2026-06-15 | N/A | 7.5 HIGH | ||
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. | |||||
| CVE-2026-48119 | 2026-06-15 | N/A | 7.1 HIGH | ||
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.12, authenticated agents can forge service-monitor results for other users' services. This issue has been patched in version 2.0.12. | |||||
| CVE-2026-46716 | 2026-06-15 | N/A | 9.9 CRITICAL | ||
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8. | |||||
| CVE-2026-34024 | 2026-06-15 | N/A | N/A | ||
| The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains missing authorization checks on multiple web application endpoints. An authenticated attacker with minimal privileges can access endpoints that are not visible in the frontend but remain directly reachable. This allows the attacker to perform restricted actions such as switching the user's branch, uploading arbitrary files, downloading arbitrary files, and viewing details of arbitrary branches. | |||||
| CVE-2026-45085 | 2026-06-15 | N/A | 5.3 MEDIUM | ||
| Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1, four authorization/disclosure issues in the chat plugin (one also involving discourse-calendar): read-only category users could create chat threads, self-deleted chat messages could be restored by their author after channel access was revoked, moderators reviewing a flagged chat message were shown the channel's current last_message (often unrelated DM content), and calendar event payloads exposed the attached chat channel and its last message to viewers without chat access (including anonymous users). This affects sites with the chat plugin enabled; the calendar issue additionally requires discourse-calendar. This issue has been patched in versions 2026.1.4, 2026.3.1, 2026.4.1, and 2026.5.0-latest.1. | |||||
| CVE-2026-6689 | 2026-06-15 | N/A | 4.3 MEDIUM | ||
| Mattermost versions 11.6.x <= 11.6.1, 11.5.x <= 11.5.4, 10.11.x <= 10.11.15, 10.11.x <= 10.11.16 Fail to enforce PermissionInviteUser when setting AllowOpenInvite or AllowedDomains during team creation (the check was only applied on update/patch), which allows an authenticated user holding PermissionCreateTeam but not PermissionInviteUser on the resulting team to configure invite-controlled team settings (make the team publicly joinable via open invite and/or constrain membership via allowed domains) that they are not permitted to set on an existing team via POST /api/v4/teams with allow_open_invite: true and/or a non-empty allowed_domains in the request body.. Mattermost Advisory ID: MMSA-2026-00655 | |||||
| CVE-2026-10715 | 2026-06-15 | N/A | N/A | ||
| Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post. | |||||
| CVE-2026-47120 | 2026-06-15 | N/A | 7.1 HIGH | ||
| Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check). This issue has been patched in version 2.0.8. | |||||
| CVE-2026-5230 | 2026-06-15 | N/A | 7.1 HIGH | ||
| Improper Access Control, Missing Authorization vulnerability in MIA Technology Inc. Pizzy Library allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. | |||||
| CVE-2026-48969 | 2026-06-15 | N/A | 6.5 MEDIUM | ||
| Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions. | |||||
| CVE-2025-64215 | 2026-06-15 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16. | |||||
| CVE-2026-47281 | 1 Microsoft | 1 Visual Studio Code | 2026-06-15 | N/A | 9.6 CRITICAL |
| Improper input validation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2026-47197 | 2026-06-13 | N/A | N/A | ||
| Quest Bot is an opensource Discord Bot. Prior to version 1.1.6, a moderator with the relevant Discord permission bit can use the bot to moderate users above them in the Discord role hierarchy, as long as the bot itself outranks the target. This bypasses Discord’s normal role hierarchy protections and lets lower-ranked moderators ban, kick, timeout, untimeout, warn, or rename higher-ranked users. This issue has been patched in version 1.1.6. | |||||
| CVE-2026-53816 | 1 Openclaw | 1 Openclaw | 2026-06-12 | N/A | 7.2 HIGH |
| OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. A malicious or compromised paired node can send crafted node.event messages to the gateway, steering target sessions into exec-event paths that expose capabilities the reduced node surface should not provide. | |||||
| CVE-2026-53818 | 1 Openclaw | 1 Openclaw | 2026-06-12 | N/A | 6.6 MEDIUM |
| OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. Attackers can invoke owner-only behavior through the affected loopback path to execute restricted tools when the feature is enabled and reachable. | |||||
| CVE-2026-26237 | 1 Qnap | 1 Qumagie | 2026-06-12 | N/A | 7.5 HIGH |
| A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later | |||||
| CVE-2026-53815 | 1 Openclaw | 1 Openclaw | 2026-06-12 | N/A | 6.5 MEDIUM |
| OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not intended for them by exploiting insufficient validation in the affected feature, potentially exposing sensitive channel messages. | |||||
| CVE-2026-10787 | 1 Devolutions | 1 Devolutions Server | 2026-06-12 | N/A | 4.3 MEDIUM |
| Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier | |||||