Total
2635 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-34532 | 1 Parseplatform | 1 Parse-server | 2026-04-02 | N/A | 9.1 CRITICAL |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, requireMaster, or custom validation logic. This issue has been patched in versions 8.6.67 and 9.7.0-alpha.11. | |||||
| CVE-2026-34506 | 1 Openclaw | 1 Openclaw | 2026-04-01 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes. | |||||
| CVE-2026-33576 | 1 Openclaw | 1 Openclaw | 2026-04-01 | N/A | 6.5 MEDIUM |
| OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected. | |||||
| CVE-2026-33577 | 1 Openclaw | 1 Openclaw | 2026-04-01 | N/A | 8.1 HIGH |
| OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privileges onto paired nodes beyond their authorization level. | |||||
| CVE-2026-33578 | 1 Openclaw | 1 Openclaw | 2026-04-01 | N/A | 4.3 MEDIUM |
| OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attackers can exploit this policy resolution flaw to bypass sender restrictions and interact with bots despite configured allowlist restrictions. | |||||
| CVE-2025-71278 | 1 Xenforo | 1 Xenforo | 2026-04-01 | N/A | 8.8 HIGH |
| XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level. | |||||
| CVE-2024-50419 | 1 Greenshiftwp | 1 Greenshift - Animation And Page Builder Blocks | 2026-04-01 | N/A | 9.8 CRITICAL |
| Incorrect Authorization vulnerability in wpsoul Greenshift greenshift-animation-and-page-builder-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift: from n/a through <= 9.7. | |||||
| CVE-2026-4933 | 1 Jeroenb | 1 Unpublished Node Permissions | 2026-04-01 | N/A | 7.5 HIGH |
| Incorrect Authorization vulnerability in Drupal Unpublished Node Permissions allows Forceful Browsing.This issue affects Unpublished Node Permissions: from 0.0.0 before 1.7.0. | |||||
| CVE-2024-49256 | 1 Wpchill | 1 Htaccess File Editor | 2026-04-01 | N/A | 8.8 HIGH |
| Incorrect Authorization vulnerability in WP Chill Htaccess File Editor htaccess-file-editor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Htaccess File Editor: from n/a through <= 1.0.18. | |||||
| CVE-2026-33726 | 1 Cilium | 1 Cilium | 2026-04-01 | N/A | 5.4 MEDIUM |
| Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (`eni.enabled`), AlibabaCloud ENI (`alibabacloud.enabled`), Azure IPAM (`azure.enabled`, but not AKS BYOCNI), and some GKE deployments (`gke.enabled`; managed offerings such as GKE Dataplane V2 may use different defaults). It is typically not enabled in tunneled deployments, and chaining deployments are not affected. In practice, Amazon EKS with Cilium ENI mode is likely the most common affected environment. Versions 1.17.14, 1.18.8, and 1.19.2 contain a patch. There is currently no officially verified or comprehensive workaround for this issue. The only option would be to disable per-endpoint routes, but this will likely cause disruptions to ongoing connections, and potential conflicts if running in cloud providers. | |||||
| CVE-2026-24029 | 2026-04-01 | N/A | 6.5 MEDIUM | ||
| When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL. | |||||
| CVE-2026-32726 | 2026-04-01 | N/A | 8.1 HIGH | ||
| SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass in path-based scope validation. The enforcer used a simple string-prefix comparison when checking whether a requested resource path was covered by a token's authorized scope path. Because the check did not require a path-segment boundary, a token scoped to one path could incorrectly authorize access to sibling paths that merely started with the same prefix. This issue has been patched in version 1.4.1. | |||||
| CVE-2026-34586 | 2026-04-01 | N/A | 6.5 MEDIUM | ||
| PdfDing is a selfhosted PDF manager, viewer and editor offering a seamless user experience on multiple devices. Prior to version 1.7.1, check_shared_access_allowed() validates only session existence — it does not check SharedPdf.inactive (expiration / max views) or SharedPdf.deleted. The Serve and Download endpoints rely solely on this function, allowing previously-authorized users to access shared PDF content after expiration, view limit, or soft-deletion. This issue has been patched in version 1.7.1. | |||||
| CVE-2026-3573 | 1 Artificial Intelligence Project | 1 Artificial Intelligence | 2026-03-31 | N/A | 7.5 HIGH |
| Incorrect Authorization vulnerability in Drupal AI (Artificial Intelligence) allows Resource Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.1.11, from 1.2.0 before 1.2.12. | |||||
| CVE-2026-3526 | 1 Geeks4change | 1 File Access Fix | 2026-03-31 | N/A | 5.3 MEDIUM |
| Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0. | |||||
| CVE-2026-3525 | 1 Geeks4change | 1 File Access Fix | 2026-03-31 | N/A | 5.3 MEDIUM |
| Incorrect Authorization vulnerability in Drupal File Access Fix (deprecated) allows Forceful Browsing.This issue affects File Access Fix (deprecated): from 0.0.0 before 1.2.0. | |||||
| CVE-2026-0562 | 1 Lollms | 1 Lollms | 2026-03-31 | N/A | 8.3 HIGH |
| A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0. | |||||
| CVE-2026-3210 | 1 Imagexmedia | 1 Material Icons | 2026-03-31 | N/A | 5.3 MEDIUM |
| Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4. | |||||
| CVE-2025-61830 | 1 Adobe | 1 Pass Authentication | 2026-03-31 | N/A | 7.1 HIGH |
| Adobe Pass versions 3.7.3 and earlier are affected by an Incorrect Authorization vulnerability. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read and write access. Exploitation of this issue requires user interaction in that a victim must install a malicious SDK. | |||||
| CVE-2026-32914 | 1 Openclaw | 1 Openclaw | 2026-03-31 | N/A | 8.8 HIGH |
| OpenClaw before 2026.3.12 contains an insufficient access control vulnerability in the /config and /debug command handlers that allows command-authorized non-owners to access owner-only surfaces. Attackers with command authorization can read or modify privileged configuration settings restricted to owners by exploiting missing owner-level permission checks. | |||||