Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-22663

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-03 Apr, 2026 | 20:27
Updated At-06 Apr, 2026 | 13:10
Rejected At-
Credits

prompts.chat Authorization Bypass Information Disclosure

prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:03 Apr, 2026 | 20:27
Updated At:06 Apr, 2026 | 13:10
Rejected At:
â–¼CVE Numbering Authority (CNA)
prompts.chat Authorization Bypass Information Disclosure

prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.

Affected Products
Vendor
f
Product
prompts.chat
Repo
https://github.com/f/prompts.chat
Default Status
unaffected
Versions
Affected
  • From 0 before 7b81836b214f2796aaf37ded2944eadc978afd35 (git)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862 Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862 Missing Authorization
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Mehmet Ince @mdisec
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/f/prompts.chat/pull/1104
issue-tracking
https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35
patch
https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosure
third-party-advisory
Hyperlink: https://github.com/f/prompts.chat/pull/1104
Resource:
issue-tracking
Hyperlink: https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosure
Resource:
third-party-advisory
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:03 Apr, 2026 | 21:17
Updated At:13 Apr, 2026 | 18:15

prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CPE Matches
fka
fka
>>prompts.chat>>Versions before 2026-03-25(exclusive)
cpe:2.3:a:fka:prompts.chat:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Primarydisclosure@vulncheck.com
CWE ID: CWE-862
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35disclosure@vulncheck.com
Patch
https://github.com/f/prompts.chat/pull/1104disclosure@vulncheck.com
Issue Tracking
Patch
Vendor Advisory
https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosuredisclosure@vulncheck.com
Third Party Advisory
Hyperlink: https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35
Source: disclosure@vulncheck.com
Resource:
Patch
Hyperlink: https://github.com/f/prompts.chat/pull/1104
Source: disclosure@vulncheck.com
Resource:
Issue Tracking
Patch
Vendor Advisory
Hyperlink: https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosure
Source: disclosure@vulncheck.com
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

268Records found
CVE-2026-28276
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.15% / 35.82%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 22:57
Updated-27 Feb, 2026 | 19:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint

Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.

Action-Not Available
Vendor-moreliteaMorelitea
Product-initiativeinitiative
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2026-28254
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.9||MEDIUM
EPSS-0.04% / 14.05%
||
7 Day CHG~0.00%
Published-12 Mar, 2026 | 17:29
Updated-27 Mar, 2026 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge

A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.

Action-Not Available
Vendor-traneTrane
Product-tracer_sc\+_firmwaretracer_sc\+tracer_conciergetracer_sc_firmwaretracer_scTracer SC+Tracer SCTracer Concierge
CWE ID-CWE-862
Missing Authorization
CVE-2022-4972
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-1.77% / 83.14%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-08 Apr, 2026 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Download Monitor <= 4.7.51 - Missing Authorization to Unauthenticated Data Export

The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive information intended for administrators.

Action-Not Available
Vendor-wpchillwpchillwpchill
Product-download_monitorDownload Monitordownload_monitor
CWE ID-CWE-862
Missing Authorization
CVE-2026-27374
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WooCommerce Order Details plugin <= 3.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in vanquish WooCommerce Order Details woocommerce-order-details allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Order Details: from n/a through <= 3.1.

Action-Not Available
Vendor-Vanquish
Product-WooCommerce Order Details
CWE ID-CWE-862
Missing Authorization
CVE-2025-2025
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.23% / 46.22%
||
7 Day CHG~0.00%
Published-15 Mar, 2025 | 11:13
Updated-08 Apr, 2026 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Give <= 3.22.0 - Missing Authorization to Unauthenticated Arbitrary Earning Reports Disclosure via give_reports_earnings Function

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.

Action-Not Available
Vendor-The Events Calendar (StellarWP)GiveWP
Product-givewpGiveWP – Donation Plugin and Fundraising Platform
CWE ID-CWE-862
Missing Authorization
CVE-2022-48302
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-7.5||HIGH
EPSS-0.11% / 29.55%
||
7 Day CHG~0.00%
Published-09 Feb, 2023 | 00:00
Updated-24 Mar, 2025 | 21:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The AMS module has a vulnerability of lacking permission verification in APIs.Successful exploitation of this vulnerability may affect data confidentiality.

Action-Not Available
Vendor-Huawei Technologies Co., Ltd.
Product-emuiharmonyosHarmonyOSEMUI
CWE ID-CWE-862
Missing Authorization
CVE-2023-30195
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.11% / 29.02%
||
7 Day CHG~0.00%
Published-06 Jul, 2023 | 00:00
Updated-20 Nov, 2024 | 21:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the module "Detailed Order" (lgdetailedorder) in version up to 1.1.20 from Linea Grafica for PrestaShop, a guest can download personal informations without restriction formatted in json.

Action-Not Available
Vendor-lineagrafican/a
Product-lgdetailedordern/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-28076
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:54
Updated-28 Apr, 2026 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Guff theme <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Frenify Guff guff allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Guff: from n/a through <= 1.0.1.

Action-Not Available
Vendor-Frenify
Product-Guff
CWE ID-CWE-862
Missing Authorization
CVE-2026-27833
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.07% / 21.60%
||
7 Day CHG~0.00%
Published-03 Apr, 2026 | 21:34
Updated-09 Apr, 2026 | 21:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Piwigo: Unauthenticated Information Disclosure via pwg.history.search API

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the pwg.history.search API method in Piwigo is registered without the admin_only option, allowing unauthenticated users to access the full browsing history of all gallery visitors. This issue has been patched in version 16.3.0.

Action-Not Available
Vendor-Piwigo
Product-piwigoPiwigo
CWE ID-CWE-862
Missing Authorization
CVE-2022-48166
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-66.23% / 98.55%
||
7 Day CHG~0.00%
Published-06 Feb, 2023 | 00:00
Updated-25 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An access control issue in Wavlink WL-WN530HG4 M30HG4.V5030.201217 allows unauthenticated attackers to download configuration data and log files and obtain admin credentials.

Action-Not Available
Vendor-n/aWAVLINK Technology Ltd.
Product-wl-wn530hg4_firmwarewl-wn530hg4n/a
CWE ID-CWE-862
Missing Authorization
CVE-2022-48350
Matching Score-4
Assigner-Huawei Technologies
ShareView Details
Matching Score-4
Assigner-Huawei Technologies
CVSS Score-7.5||HIGH
EPSS-0.11% / 29.55%
||
7 Day CHG~0.00%
Published-27 Mar, 2023 | 00:00
Updated-24 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HUAWEI Messaging app has a vulnerability of unauthorized file access. Successful exploitation of this vulnerability may affect confidentiality.

Action-Not Available
Vendor-Huawei Technologies Co., Ltd.
Product-emuiharmonyosEMUIHarmonyOS
CWE ID-CWE-862
Missing Authorization
CVE-2024-35672
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.50% / 66.31%
||
7 Day CHG~0.00%
Published-04 Jun, 2024 | 18:42
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Netgsm plugin <= 2.9.19 - Broken Access Control vulnerability

Missing Authorization vulnerability in Netgsm.This issue affects Netgsm: from n/a through 2.9.19.

Action-Not Available
Vendor-netgsmNetgsm
Product-netgsmNetgsm
CWE ID-CWE-862
Missing Authorization
CVE-2026-27361
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Responsive Posts Carousel Pro plugin <= 15.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1.

Action-Not Available
Vendor-WebCodingPlace
Product-Responsive Posts Carousel Pro
CWE ID-CWE-862
Missing Authorization
CVE-2026-26237
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-0.14% / 34.56%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 03:15
Updated-12 Jun, 2026 | 19:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QuMagie

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-qumagieQuMagie
CWE ID-CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2023-22478
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.3||HIGH
EPSS-81.12% / 99.19%
||
7 Day CHG~0.00%
Published-14 Jan, 2023 | 00:22
Updated-10 Mar, 2025 | 21:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
KubePi is vulnerable to missing authorization

KubePi is a modern Kubernetes panel. The API interfaces with unauthorized entities and may leak sensitive information. This issue has been patched in version 1.6.4. There are currently no known workarounds.

Action-Not Available
Vendor-KubeOperator (FIT2CLOUD Inc.)FIT2CLOUD Inc.
Product-kubepiKubePi
CWE ID-CWE-862
Missing Authorization
CVE-2026-24941
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:47
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Job Portal plugin <= 2.4.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.4.

Action-Not Available
Vendor-WP Job Portal
Product-WP Job Portal
CWE ID-CWE-862
Missing Authorization
CVE-2026-24363
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Cost Estimation & Payment Forms Builder plugin < 10.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in loopus WP Cost Estimation & Payment Forms Builder WP_Estimation_Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cost Estimation & Payment Forms Builder: from n/a through < 10.3.0.

Action-Not Available
Vendor-loopus
Product-WP Cost Estimation & Payment Forms Builder
CWE ID-CWE-862
Missing Authorization
CVE-2026-24382
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress News Magazine X theme <= 1.2.50 - Broken Access Control vulnerability

Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50.

Action-Not Available
Vendor-Royal Elementor Addons
Product-News Magazine X
CWE ID-CWE-862
Missing Authorization
CVE-2026-25026
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 09:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Team plugin <= 5.0.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through <= 5.0.11.

Action-Not Available
Vendor-RadiusTheme
Product-Team
CWE ID-CWE-862
Missing Authorization
CVE-2026-25317
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.63%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Print Invoice & Delivery Notes for WooCommerce plugin <= 5.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through <= 5.9.0.

Action-Not Available
Vendor-tychesoftwares
Product-Print Invoice & Delivery Notes for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-25396
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Commerce Coinbase For WooCommerce plugin <= 1.6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in CoderPress Commerce Coinbase For WooCommerce commerce-coinbase-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Commerce Coinbase For WooCommerce: from n/a through <= 1.6.6.

Action-Not Available
Vendor-CoderPress
Product-Commerce Coinbase For WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2021-33057
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.34% / 57.41%
||
7 Day CHG~0.00%
Published-26 Jul, 2022 | 22:36
Updated-03 Aug, 2024 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The QQ application 8.7.1 for Android and iOS does not enforce the permission requirements (e.g., android.permission.ACCESS_FINE_LOCATION) for determining the device's physical location. An attacker can use qq.createMapContext to create a MapContext object, use MapContext.moveToLocation to move the center of the map to the device's location, and use MapContext.getCenterLocation to get the latitude and longitude of the current map center.

Action-Not Available
Vendor-tencentn/a
Product-qqn/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-23541
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 08:26
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Mail Mint plugin <= 1.19.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.

Action-Not Available
Vendor-WPFunnels
Product-Mail Mint
CWE ID-CWE-862
Missing Authorization
CVE-2026-23806
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.02% / 4.33%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Jobs for WordPress plugin <= 2.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8.

Action-Not Available
Vendor-BlueGlass Interactive AG
Product-Jobs for WordPress
CWE ID-CWE-862
Missing Authorization
CVE-2026-23977
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-25 Mar, 2026 | 16:14
Updated-28 Apr, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Helpdesk Support Ticket System for WooCommerce plugin <= 2.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.2.

Action-Not Available
Vendor-WPFactory
Product-Helpdesk Support Ticket System for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-22479
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.21%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Post Submission plugin <= 2.4.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Post Submission: from n/a through <= 2.4.0.

Action-Not Available
Vendor-ThemeRuby
Product-Easy Post Submission
CWE ID-CWE-862
Missing Authorization
CVE-2021-33013
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-8.2||HIGH
EPSS-0.22% / 44.46%
||
7 Day CHG~0.00%
Published-13 May, 2022 | 15:19
Updated-16 Apr, 2025 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mySCADA myPRO Improper Access Control

mySCADA myPRO versions prior to 8.20.0 does not restrict unauthorized read access to sensitive system information.

Action-Not Available
Vendor-myscadamySCADA
Product-mypromyPRO
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2026-1280
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.10% / 26.68%
||
7 Day CHG~0.00%
Published-28 Jan, 2026 | 11:23
Updated-08 Apr, 2026 | 17:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter

The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.

Action-Not Available
Vendor-nmedia
Product-Frontend File Manager Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2025-11754
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.06% / 18.98%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 03:25
Updated-08 Apr, 2026 | 16:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.

Action-Not Available
Vendor-wplegalpages
Product-Cookie Banner for GDPR / CCPA – WPLP Cookie Consent
CWE ID-CWE-862
Missing Authorization
CVE-2021-31576
Matching Score-4
Assigner-MediaTek, Inc.
ShareView Details
Matching Score-4
Assigner-MediaTek, Inc.
CVSS Score-7.5||HIGH
EPSS-0.74% / 73.50%
||
7 Day CHG~0.00%
Published-06 Feb, 2023 | 00:00
Updated-03 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In Boa, there is a possible information disclosure due to a missing permission check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.

Action-Not Available
Vendor-MediaTek Inc.
Product-en7528en7580_firmwareen7580en7528_firmwareEN7528, EN7580
CWE ID-CWE-862
Missing Authorization
CVE-2026-10737
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.10% / 26.56%
||
7 Day CHG+0.02%
Published-04 Jun, 2026 | 01:26
Updated-04 Jun, 2026 | 13:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SP Project & Document Manager <= 4.71 - Missing Authorization to Unauthenticated Arbitrary File Information Disclosure via view_file() Function

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the view_file function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links for arbitrary files stored inside project folders on the server, which can contain sensitive information. The authorization gate uses a negated nonce check OR-chained with permission checks, meaning a missing or invalid nonce causes the entire condition to evaluate to true and bypass all preceding capability and ownership checks. The secondary fallback check only denies access for root-level files (pid == 0), leaving all files stored inside project folders fully exposed to unauthenticated users who supply only a valid file ID in a POST request to admin-ajax.php.

Action-Not Available
Vendor-smartypants
Product-SP Project & Document Manager
CWE ID-CWE-862
Missing Authorization
CVE-2025-9954
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.98%
||
7 Day CHG~0.00%
Published-29 Oct, 2025 | 23:12
Updated-03 Dec, 2025 | 20:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105

Missing Authorization vulnerability in Drupal Acquia DAM allows Forceful Browsing.This issue affects Acquia DAM: from 0.0.0 before 1.1.5.

Action-Not Available
Vendor-acquiaThe Drupal Association
Product-damAcquia DAM
CWE ID-CWE-862
Missing Authorization
CVE-2024-3305
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
ShareView Details
Matching Score-4
Assigner-TR-CERT (Computer Emergency Response Team of the Republic of Türkiye)
CVSS Score-8.8||HIGH
EPSS-0.10% / 27.27%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 13:03
Updated-03 Jun, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IDOR in Utarit Information's SoliClub

Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data. This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.

Action-Not Available
Vendor-utaritUtarit Informationutarit
Product-soliclubSoliClubsoliclub
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CWE ID-CWE-862
Missing Authorization
CVE-2022-4366
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-5.3||MEDIUM
EPSS-0.28% / 51.58%
||
7 Day CHG~0.00%
Published-08 Dec, 2022 | 00:00
Updated-14 Apr, 2025 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in lirantal/daloradius

Missing Authorization in GitHub repository lirantal/daloradius prior to master branch.

Action-Not Available
Vendor-daloradiuslirantal
Product-daloradiuslirantal/daloradius
CWE ID-CWE-862
Missing Authorization
CVE-2026-27796
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.61%
||
7 Day CHG~0.00%
Published-07 Mar, 2026 | 05:54
Updated-10 Mar, 2026 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Homarr: Unauthenticated Information Disclosure (Integration Metadata Leak)

Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service URLs, integration names, and service types. This issue has been patched in version 1.54.0.

Action-Not Available
Vendor-homarrhomarr-labs
Product-homarrhomarr
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CVE-2024-32715
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.11% / 29.58%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 16:53
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Olive One Click Demo Import plugin <= 1.1.1 - Arbitrary File Download vulnerability

Missing Authorization vulnerability in Olive Themes Olive One Click Demo Import.This issue affects Olive One Click Demo Import: from n/a through 1.1.1.

Action-Not Available
Vendor-olivethemesOlive Themesolivethemes
Product-olive_one_click_demo_importOlive One Click Demo Importolive_one_click_demo_import
CWE ID-CWE-862
Missing Authorization
CVE-2024-32777
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.48% / 65.72%
||
7 Day CHG~0.00%
Published-09 Jun, 2024 | 13:10
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress BizPrint plugin <= 4.3.39 - Broken Access Control vulnerability

Missing Authorization vulnerability in BizSwoop a CPF Concepts, LLC Brand BizPrint.This issue affects BizPrint: from n/a through 4.3.39.

Action-Not Available
Vendor-BizSwoop (CPF Concepts, LLC)
Product-BizPrint
CWE ID-CWE-862
Missing Authorization
CVE-2026-27386
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 13.21%
||
7 Day CHG~0.00%
Published-05 Mar, 2026 | 05:53
Updated-28 Apr, 2026 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress DesignThemes Directory Addon plugin <= 1.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in designthemes DesignThemes Directory Addon designthemes-directory-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Directory Addon: from n/a through <= 1.8.

Action-Not Available
Vendor-designthemes
Product-DesignThemes Directory Addon
CWE ID-CWE-862
Missing Authorization
CVE-2024-31343
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-1.15% / 78.98%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 16:12
Updated-28 Apr, 2026 | 16:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 4.10.1 - Arbitrary File Download vulnerability

Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 4.10.1.

Action-Not Available
Vendor-sonaarSonaar Musicsonaar
Product-mp3_audio_player_for_music\,_radio_\&_podcastMP3 Audio Player for Music, Radio & Podcast by Sonaarmp3_audio_player_for_music\,_radio_\&_podcast
CWE ID-CWE-862
Missing Authorization
CVE-2025-7717
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-7.5||HIGH
EPSS-0.29% / 52.65%
||
7 Day CHG~0.00%
Published-21 Jul, 2025 | 16:37
Updated-26 Aug, 2025 | 20:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
File Download - Moderately critical - Access bypass - SA-CONTRIB-2025-089

Missing Authorization vulnerability in Drupal File Download allows Forceful Browsing.This issue affects File Download: from 0.0.0 before 1.9.0, from 2.0.0 before 2.0.1.

Action-Not Available
Vendor-file_download_projectThe Drupal Association
Product-file_downloadFile Download
CWE ID-CWE-862
Missing Authorization
CVE-2025-70148
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.14% / 34.28%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 00:00
Updated-20 Feb, 2026 | 13:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference (IDOR).

Action-Not Available
Vendor-n/aCodeAstro
Product-membership_management_systemn/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-70147
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.28% / 51.94%
||
7 Day CHG~0.00%
Published-18 Feb, 2026 | 00:00
Updated-20 Feb, 2026 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authentication in /admin/student.php and /admin/teacher.php in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to obtain sensitive information (including plaintext password field values) via direct HTTP GET requests to these endpoints without a valid session.

Action-Not Available
Vendor-n/aProjectworlds
Product-online_time_table_generatorn/a
CWE ID-CWE-306
Missing Authentication for Critical Function
CWE ID-CWE-862
Missing Authorization
CVE-2025-70986
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.02% / 6.65%
||
7 Day CHG~0.00%
Published-23 Jan, 2026 | 00:00
Updated-30 Jan, 2026 | 21:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data.

Action-Not Available
Vendor-n/aRuoyi
Product-ruoyin/a
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-862
Missing Authorization
CVE-2024-28215
Matching Score-4
Assigner-Naver Corporation
ShareView Details
Matching Score-4
Assigner-Naver Corporation
CVSS Score-7.5||HIGH
EPSS-0.33% / 56.42%
||
7 Day CHG~0.00%
Published-07 Mar, 2024 | 04:50
Updated-07 May, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

nGrinder before 3.5.9 allows an attacker to create or update webhook configuration due to lack of access control, which could be the cause of information disclosure and limited Server-Side Request Forgery.

Action-Not Available
Vendor-naverNAVERnaver
Product-ngrindernGrinderngrinder
CWE ID-CWE-862
Missing Authorization
CVE-2025-69393
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:46
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Exzo theme <= 1.2.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Jthemes Exzo exzo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Exzo: from n/a through <= 1.2.4.

Action-Not Available
Vendor-Jthemes
Product-Exzo
CWE ID-CWE-862
Missing Authorization
CVE-2020-7968
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.08% / 22.97%
||
7 Day CHG~0.00%
Published-05 Feb, 2020 | 15:56
Updated-04 Aug, 2024 | 09:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

GitLab EE 8.0 through 12.7.2 has Incorrect Access Control.

Action-Not Available
Vendor-n/aGitLab Inc.
Product-gitlabn/a
CWE ID-CWE-862
Missing Authorization
CVE-2025-68850
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.04% / 11.15%
||
7 Day CHG~0.00%
Published-05 Jan, 2026 | 10:43
Updated-29 Apr, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Sell Downloads plugin <= 1.1.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in codepeople Sell Downloads sell-downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through <= 1.1.12.

Action-Not Available
Vendor-CodePeople
Product-Sell Downloads
CWE ID-CWE-862
Missing Authorization
CVE-2025-69313
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.06% / 18.52%
||
7 Day CHG~0.00%
Published-22 Jan, 2026 | 16:52
Updated-28 Apr, 2026 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress PostX plugin <= 5.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3.

Action-Not Available
Vendor-WPXPO
Product-PostX
CWE ID-CWE-862
Missing Authorization
CVE-2025-69303
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.5||HIGH
EPSS-0.05% / 15.23%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 15:46
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress ModelTheme Framework plugin < 2.0.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in modeltheme ModelTheme Framework modeltheme-framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ModelTheme Framework: from n/a through < 2.0.0.

Action-Not Available
Vendor-modeltheme
Product-ModelTheme Framework
CWE ID-CWE-862
Missing Authorization
CVE-2026-26236
Matching Score-4
Assigner-QNAP Systems, Inc.
ShareView Details
Matching Score-4
Assigner-QNAP Systems, Inc.
CVSS Score-8.7||HIGH
EPSS-0.14% / 34.56%
||
7 Day CHG~0.00%
Published-09 Jun, 2026 | 04:06
Updated-09 Jun, 2026 | 13:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
QuMagie

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

Action-Not Available
Vendor-QNAP Systems, Inc.
Product-QuMagie
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • Next
Details not found