Total
6974 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-3906 | 2026-03-11 | N/A | 4.3 MEDIUM | ||
| WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status. | |||||
| CVE-2026-31834 | 2026-03-11 | N/A | 7.2 HIGH | ||
| Umbraco is an ASP.NET CMS. From 15.3.1 to before 16.5.1 and 17.2.2, A privilege escalation vulnerability has been identified in Umbraco CMS. Under certain conditions, authenticated backoffice users with permission to manage users, may be able to elevate their privileges due to insufficient authorization enforcement when modifying user group memberships. The affected functionality does not properly validate whether a user has sufficient privileges to assign highly privileged roles. This vulnerability is fixed in 16.5.1 and 17.2.2. | |||||
| CVE-2026-1781 | 2026-03-11 | N/A | 6.5 MEDIUM | ||
| The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the `_mc4wp_action` POST parameter without validation, allowing unauthenticated attackers to force the form to process unsubscribe actions instead of subscribe actions. This makes it possible for unauthenticated attackers to arbitrarily unsubscribe any email address from the connected Mailchimp audience via the `_mc4wp_action` parameter, granted they can obtain the form ID (which is publicly exposed in the HTML source). | |||||
| CVE-2026-30823 | 1 Flowiseai | 1 Flowise | 2026-03-11 | N/A | 8.8 HIGH |
| Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, there is an IDOR vulnerability, leading to account takeover and enterprise feature bypass via SSO configuration. This issue has been patched in version 3.0.13. | |||||
| CVE-2026-27344 | 2026-03-10 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in inseriswiss inseri core inseri-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects inseri core: from n/a through <= 1.0.5. | |||||
| CVE-2024-1634 | 1 Startbooking | 1 Scheduling Plugin | 2026-03-10 | N/A | 6.5 MEDIUM |
| The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_settings' function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data. | |||||
| CVE-2026-29073 | 1 B3log | 1 Siyuan | 2026-03-10 | N/A | 8.8 HIGH |
| SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0. | |||||
| CVE-2026-30850 | 1 Parseplatform | 1 Parse-server | 2026-03-10 | N/A | 5.9 MEDIUM |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9. | |||||
| CVE-2026-27796 | 1 Homarr | 1 Homarr | 2026-03-10 | N/A | 5.3 MEDIUM |
| Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service URLs, integration names, and service types. This issue has been patched in version 1.54.0. | |||||
| CVE-2026-28790 | 1 Olivetin | 1 Olivetin | 2026-03-10 | N/A | 7.5 HIGH |
| OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, but can still call the KillAction RPC directly and successfully stop a running action. This is a broken access control issue that causes unauthorized denial of service against legitimate action executions. This issue has been patched in version 3000.11.0. | |||||
| CVE-2026-28515 | 1 Opendcim | 1 Opendcim | 2026-03-10 | N/A | 8.8 HIGH |
| openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration. | |||||
| CVE-2026-22459 | 2026-03-09 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through <= 1.7.4. | |||||
| CVE-2026-23799 | 2026-03-09 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5. | |||||
| CVE-2026-27361 | 2026-03-09 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1. | |||||
| CVE-2025-59544 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 4.3 MEDIUM |
| Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. This issue has been patched in version 1.11.34. | |||||
| CVE-2026-3770 | 1 Oretnom23 | 1 Computer Laboratory Management System | 2026-03-09 | 5.0 MEDIUM | 4.3 MEDIUM |
| A flaw has been found in SourceCodester Computer Laboratory Management System 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. The attack is possible to be carried out remotely. The exploit has been published and may be used. | |||||
| CVE-2026-27396 | 2026-03-09 | N/A | 7.3 HIGH | ||
| Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6. | |||||
| CVE-2026-27386 | 2026-03-09 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in designthemes DesignThemes Directory Addon designthemes-directory-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Directory Addon: from n/a through <= 1.8. | |||||
| CVE-2026-22479 | 2026-03-09 | N/A | 7.5 HIGH | ||
| Missing Authorization vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Post Submission: from n/a through <= 2.2.0. | |||||
| CVE-2026-1650 | 2026-03-09 | N/A | 5.3 MEDIUM | ||
| The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters. | |||||