Total
2917 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-15390 | 1 Phpgurukul | 1 Small Crm | 2026-04-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A security flaw has been discovered in PHPGurukul Small CRM 4.0. This impacts an unknown function of the file /admin/edit-user.php. The manipulation results in missing authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. | |||||
| CVE-2025-8434 | 1 Anisha | 1 Online Movie Streaming | 2026-04-29 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in code-projects Online Movie Streaming 1.0. It has been classified as critical. Affected is an unknown function of the file /admin.php. The manipulation of the argument ID leads to missing authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-24749 | 2026-04-28 | N/A | 5.3 MEDIUM | ||
| The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL() or DBFile::getSourceURL() incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidth() or Convert(). Note that if developers use DBFile directly in the $db configuration for a DataObject class that doesn't subclass File, and if they were setting the visibility of those files to "protected", those files will now need an explicit access grant to be accessed. If developers do not want to explicitly provide access grants for these files in their apps (i.e. they want these files to be accessible by default), they should use the "public" visibility. This issue has been fixed in versions 2.4.5 and 3.1.3. | |||||
| CVE-2026-41908 | 1 Openclaw | 1 Openclaw | 2026-04-28 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.4.20 contains a scope enforcement bypass vulnerability in the assistant-media route that allows trusted-proxy callers without operator.read scope to access protected assistant-media files and metadata. Attackers can bypass identity-bearing HTTP auth path scope validation to retrieve sensitive media content within allowed media roots. | |||||
| CVE-2026-41909 | 1 Openclaw | 1 Openclaw | 2026-04-28 | N/A | 5.4 MEDIUM |
| OpenClaw before 2026.4.20 contains an improper authorization vulnerability in paired-device pairing management that allows limited-scope sessions to enumerate and act on pairing requests. Attackers with paired-device access can approve or operate on unrelated pending device requests within the same gateway scope. | |||||
| CVE-2024-43954 | 1 Themeum | 1 Droip | 2026-04-28 | N/A | 6.3 MEDIUM |
| Incorrect Authorization vulnerability in Themeum Droip allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Droip: from n/a through 1.1.1. | |||||
| CVE-2023-51405 | 1 Reputeinfosystems | 1 Bookingpress | 2026-04-28 | N/A | 8.2 HIGH |
| Improper Authentication vulnerability in Repute Infosystems BookingPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BookingPress: from n/a through 1.0.74. | |||||
| CVE-2023-50886 | 1 Wpwax | 1 Legal Pages | 2026-04-28 | N/A | 4.3 MEDIUM |
| Cross-Site Request Forgery (CSRF), Incorrect Authorization vulnerability in wpWax Legal Pages.This issue affects Legal Pages: from n/a through 1.3.7. | |||||
| CVE-2023-47827 | 1 Nicheaddons | 1 Events Addon For Elementor | 2026-04-28 | N/A | 6.5 MEDIUM |
| Incorrect Authorization vulnerability in NicheAddons Events Addon for Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Events Addon for Elementor: from n/a through 2.1.3. | |||||
| CVE-2023-25043 | 2026-04-28 | N/A | 4.3 MEDIUM | ||
| Incorrect Authorization vulnerability in Supsystic Data Tables Generator.This issue affects Data Tables Generator: from n/a through 1.10.25. | |||||
| CVE-2022-45353 | 1 Muffingroup | 1 Betheme | 2026-04-28 | N/A | 4.3 MEDIUM |
| Broken Access Control in Betheme theme <= 26.6.1 on WordPress. | |||||
| CVE-2026-41350 | 1 Openclaw | 1 Openclaw | 2026-04-28 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox constraints to bypass session-policy controls and access restricted session information. | |||||
| CVE-2026-41367 | 1 Openclaw | 1 Openclaw | 2026-04-28 | N/A | 5.0 MEDIUM |
| OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing channel policy enforcement. | |||||
| CVE-2026-41371 | 1 Openclaw | 1 Openclaw | 2026-04-28 | N/A | 8.5 HIGH |
| OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript state, and force new session IDs without requiring admin scope by exploiting improper authorization checks in the chat.send path. | |||||
| CVE-2025-54265 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2026-04-28 | N/A | 5.9 MEDIUM |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction. | |||||
| CVE-2026-40071 | 1 Pyload | 1 Pyload | 2026-04-28 | N/A | 5.4 MEDIUM |
| pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute MODIFY operations that should be denied by pyLoad's own permission model. This vulnerability is fixed in 0.5.0b3.dev97. | |||||
| CVE-2026-40574 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2026-04-27 | N/A | 6.8 MEDIUM |
| OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An attacker may be able to authenticate with an email claim such as attacker@evil.com@company.com and satisfy an allowed domain check for company.com, even though the claim is not a valid email address. The issue ONLY affects deployments that rely on email_domain restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. This vulnerability is fixed in 7.15.2. | |||||
| CVE-2026-40155 | 1 Auth0 | 1 Nextjs-auth0 | 2026-04-27 | N/A | 5.4 MEDIUM |
| The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for the token request results. Users are affected if their project uses both the vulnerable versions and the proxy handler /me/* and /my-org/* with DPoP enabled. This issue has been fixed in version 4.18.0. | |||||
| CVE-2026-40099 | 1 Getkirby | 1 Kirby | 2026-04-27 | N/A | 6.5 MEDIUM |
| Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint (`site/blueprints/users/...`). It is also possible to customize the permissions for each target model in the model blueprints (such as in `site/blueprints/pages/...`) using the `options` feature. The permissions and options together control the authorization of user actions. For pages, Kirby provides the `pages.create` and `pages.changeStatus` permissions (among others). Prior to versions 4.9.0 and 5.4.0, Kirby checked these permissions independently and only for the respective action. However the `changeStatus` permission didn't take effect on page creation. New pages are created as drafts by default and need to be published by changing the page status of an existing page draft. This is ensured when the page is created via the Kirby Panel. However the REST API allows to override the `isDraft` flag when creating a new page. This allowed authenticated attackers with the `pages.create` permission to immediately create published pages, bypassing the normal editorial workflow. The problem has been patched in Kirby 4.9.0 and Kirby 5.4.0. Kirby has added a check to the page creation rules that ensures that users without the `pages.changeStatus` permission cannot create published pages, only page drafts. | |||||
| CVE-2026-40224 | 1 Systemd Project | 1 Systemd | 2026-04-27 | N/A | 6.7 MEDIUM |
| In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace. | |||||