Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-8407

Summary
Assigner-DEVOLUTIONS
Assigner Org ID-bfee16bd-18e6-446c-9a65-f5b2e3d89c23
Published At-12 May, 2026 | 16:16
Updated At-13 May, 2026 | 16:00
Rejected At-
Credits

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:DEVOLUTIONS
Assigner Org ID:bfee16bd-18e6-446c-9a65-f5b2e3d89c23
Published At:12 May, 2026 | 16:16
Updated At:13 May, 2026 | 16:00
Rejected At:
â–¼CVE Numbering Authority (CNA)

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier

Affected Products
Vendor
DevolutionsDevolutions
Product
Server
Default Status
unaffected
Versions
Affected
  • From 2026.1.6.0 through 2026.1.11.0 (custom)
  • From 0 through 2025.3.16.0 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-862CWE-862: Missing Authorization
Type: CWE
CWE ID: CWE-862
Description: CWE-862: Missing Authorization
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://devolutions.net/security/advisories/DEVO-2026-0010/
N/A
Hyperlink: https://devolutions.net/security/advisories/DEVO-2026-0010/
Resource: N/A
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@devolutions.net
Published At:12 May, 2026 | 17:16
Updated At:26 May, 2026 | 12:32

Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.11.0 * Devolutions Server 2025.3.16.0 and earlier

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CPE Matches

Devolutions
devolutions
>>devolutions_server>>Versions before 2025.3.18.0(exclusive)
cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Devolutions
devolutions
>>devolutions_server>>Versions from 2026.1.6.0(inclusive) to 2026.1.12.0(exclusive)
cpe:2.3:a:devolutions:devolutions_server:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-862Secondarysecurity@devolutions.net
CWE ID: CWE-862
Type: Secondary
Source: security@devolutions.net
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://devolutions.net/security/advisories/DEVO-2026-0010/security@devolutions.net
Vendor Advisory
Hyperlink: https://devolutions.net/security/advisories/DEVO-2026-0010/
Source: security@devolutions.net
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

591Records found

CVE-2026-5146
Matching Score-10
Assigner-Devolutions Inc.
ShareView Details
Matching Score-10
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.77%
||
7 Day CHG~0.00%
Published-12 May, 2026 | 17:28
Updated-26 May, 2026 | 12:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : * Devolutions Server 2026.1.6.0 through 2026.1.15.0 * Devolutions Server 2025.3.19.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2026-5171
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.74%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 15:28
Updated-22 May, 2026 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-284
Improper Access Control
CVE-2026-4989
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.74%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 15:07
Updated-03 Apr, 2026 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request. This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-1768
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.96%
||
7 Day CHG~0.00%
Published-24 Feb, 2026 | 19:01
Updated-26 Feb, 2026 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A permission cache poisoning vulnerability in Devolutions Server allows authenticated users to bypass permissions to access entries.This issue affects Devolutions Server: before 2025.3.15.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-12117
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.80%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 18:25
Updated-18 Jun, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-11890
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.74%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 18:24
Updated-18 Jun, 2026 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CWE ID-CWE-284
Improper Access Control
CVE-2024-12148
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 27.74%
||
7 Day CHG+0.01%
Published-04 Dec, 2024 | 17:18
Updated-28 Mar, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-863
Incorrect Authorization
CVE-2023-2118
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 28.49%
||
7 Day CHG~0.00%
Published-21 Apr, 2023 | 21:52
Updated-04 Feb, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insufficient access control in support ticket feature in Devolutions Server 2023.1.5.0 and below allows an authenticated attacker to send support tickets and download diagnostic files via specific endpoints.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CVE-2025-13765
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 24.48%
||
7 Day CHG~0.00%
Published-27 Nov, 2025 | 15:30
Updated-03 Dec, 2025 | 14:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-10971
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.51% / 39.74%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 15:52
Updated-27 Jun, 2025 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the Password History feature in Devolutions DVLS 2024.3.6 and earlier allows a malicious authenticated user to obtain sensitive data via faulty permission.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDVLS (Devolutions Server)
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-1939
Matching Score-8
Assigner-Devolutions Inc.
ShareView Details
Matching Score-8
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.40% / 32.39%
||
7 Day CHG~0.00%
Published-11 Apr, 2023 | 17:47
Updated-10 Feb, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
No access control for the OTP key on OTP entries

No access control for the OTP key   on OTP entries in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.

Action-Not Available
Vendor-Devolutions
Product-remote_desktop_managerRemote Desktop Manager
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2026-9224
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.75%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 15:25
Updated-22 May, 2026 | 18:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2026-9246
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 4.75%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 15:26
Updated-22 May, 2026 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2026-6706
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 10.07%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 13:11
Updated-04 May, 2026 | 13:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2026-4925
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-5||MEDIUM
EPSS-0.19% / 9.28%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 15:02
Updated-03 Apr, 2026 | 19:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request. This issue affects Server: from 2026.1.6 through 2026.1.11.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2026-3638
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-5.9||MEDIUM
EPSS-0.18% / 7.44%
||
7 Day CHG~0.00%
Published-09 Mar, 2026 | 18:51
Updated-30 Mar, 2026 | 19:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2026-9251
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 3.88%
||
7 Day CHG~0.00%
Published-22 May, 2026 | 15:29
Updated-22 May, 2026 | 18:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2026-5175
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-5||MEDIUM
EPSS-0.25% / 16.66%
||
7 Day CHG~0.00%
Published-01 Apr, 2026 | 15:04
Updated-03 Apr, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.  This issue affects Server: from 2026.1.6 through 2026.1.11.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2026-4064
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-8.3||HIGH
EPSS-0.33% / 24.38%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 19:14
Updated-19 Mar, 2026 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations — including reading sensitive data, creating or deleting resources, and disrupting service operations — via crafted gRPC requests.

Action-Not Available
Vendor-ironmansoftwareDevolutions
Product-powershell_universalPowerShell Universal
CWE ID-CWE-862
Missing Authorization
CVE-2026-12105
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.20% / 10.09%
||
7 Day CHG~0.00%
Published-16 Jun, 2026 | 18:28
Updated-18 Jun, 2026 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions.

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverDevolutions Server
CWE ID-CWE-862
Missing Authorization
CVE-2026-10787
Matching Score-6
Assigner-Devolutions Inc.
ShareView Details
Matching Score-6
Assigner-Devolutions Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.15% / 5.06%
||
7 Day CHG~0.00%
Published-08 Jun, 2026 | 18:26
Updated-12 Jun, 2026 | 17:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : * Devolutions Server 2026.2.4.0 * Devolutions Server 2026.1.20.0 and earlier

Action-Not Available
Vendor-Devolutions
Product-devolutions_serverServer
CWE ID-CWE-862
Missing Authorization
CVE-2024-3115
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.34% / 25.62%
||
7 Day CHG~0.00%
Published-26 Jun, 2024 | 23:31
Updated-30 Aug, 2024 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information to an Unauthorized Actor in GitLab

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2024-28155
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.45% / 36.01%
||
7 Day CHG~0.00%
Published-06 Mar, 2024 | 17:01
Updated-29 Mar, 2025 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Jenkins AppSpider Plugin 1.0.16 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to obtain information about available scan config names, engine group names, and client names.

Action-Not Available
Vendor-Jenkins
Product-appspiderJenkins AppSpider Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2019-20407
Matching Score-4
Assigner-Atlassian
ShareView Details
Matching Score-4
Assigner-Atlassian
CVSS Score-4.3||MEDIUM
EPSS-1.20% / 64.38%
||
7 Day CHG~0.00%
Published-17 Mar, 2020 | 03:10
Updated-17 Sep, 2024 | 00:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The ConfigureBambooRelease resource in Jira Software and Jira Software Data Center before version 8.6.1 allows authenticated remote attackers to view release version information in projects that they do not have access to through an missing authorisation check.

Action-Not Available
Vendor-Atlassian
Product-jira_serverjira_data_centerJira Software
CWE ID-CWE-862
Missing Authorization
CVE-2019-20887
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.65% / 46.68%
||
7 Day CHG~0.00%
Published-19 Jun, 2020 | 16:39
Updated-05 Aug, 2024 | 02:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5.3, and 4.10.6. It does not honor flags API permissions when deciding whether a user can receive intra-team posts.

Action-Not Available
Vendor-n/aMattermost, Inc.
Product-mattermost_servern/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-9013
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 16.76%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 04:31
Updated-22 Jun, 2026 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bogo <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via REST API

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated post. This vulnerability is exploitable against posts written in a non-default locale, as authenticated subscribers can request a translation into the site's default locale to pass the locale-only permission gate. While subscribers can trigger the endpoint, this is only impactful at the Contributor-level as they can actually read the duplicated content.

Action-Not Available
Vendor-rocklobsterinc
Product-Bogo
CWE ID-CWE-862
Missing Authorization
CVE-2026-8144
Matching Score-4
Assigner-GitLab Inc.
ShareView Details
Matching Score-4
Assigner-GitLab Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.81%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 05:33
Updated-14 May, 2026 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group members due to missing authorization checks.

Action-Not Available
Vendor-GitLab Inc.
Product-gitlabGitLab
CWE ID-CWE-862
Missing Authorization
CVE-2026-7523
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 18.93%
||
7 Day CHG~0.00%
Published-05 Jun, 2026 | 22:28
Updated-08 Jun, 2026 | 14:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter

The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to access arbitrary private alba_card post data, including title, description, assignee, due date, tags, and comments, that is intended to be restricted to Administrators and Editors. The handler is registered via the wp_ajax_nopriv_ hook and its nonce is exposed to all site visitors through wp_localize_script on pages containing the [alba_board] shortcode, making this exploitable by unauthenticated users who can access any such page.

Action-Not Available
Vendor-alejo30
Product-Alba Board
CWE ID-CWE-862
Missing Authorization
CVE-2026-57925
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.28%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 12:38
Updated-27 Jun, 2026 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags

Action-Not Available
Vendor-JetBrains s.r.o.
Product-youtrackYouTrack
CWE ID-CWE-862
Missing Authorization
CVE-2026-57954
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 6.44%
||
7 Day CHG~0.00%
Published-29 Jun, 2026 | 17:21
Updated-30 Jun, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Elide 7.1.17 - Permission Bypass in Sort Expression Validation

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

Action-Not Available
Vendor-Yahoo Inc.
Product-elide
CWE ID-CWE-862
Missing Authorization
CVE-2026-56384
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.18%
||
7 Day CHG~0.00%
Published-21 Jun, 2026 | 13:27
Updated-24 Jun, 2026 | 17:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Craft CMS - Missing Authorization in assets/preview-thumb Endpoint

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.

Action-Not Available
Vendor-craftcms
Product-cms
CWE ID-CWE-862
Missing Authorization
CVE-2026-57521
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.21% / 11.35%
||
7 Day CHG+0.01%
Published-25 Jun, 2026 | 19:09
Updated-27 Jun, 2026 | 20:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bitwarden Server < 2026.5.0 Broken Access Control via PreviewInvoiceController

Bitwarden Server before 2026.5.0 contains a broken access control vulnerability that allows any authenticated user to access arbitrary organization billing data by supplying an arbitrary organizationId to the PreviewInvoiceController endpoints without membership or authorization checks. Attackers can exploit the missing ManageOrganizationBillingRequirement on the preview invoice endpoints to retrieve Stripe-computed tax totals, subscription status, and billing details derived from any target organization's real customer and subscription data.

Action-Not Available
Vendor-bitwardenbitwarden
Product-serverserver
CWE ID-CWE-862
Missing Authorization
CVE-2026-57285
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.02%
||
7 Day CHG+0.01%
Published-24 Jun, 2026 | 13:20
Updated-26 Jun, 2026 | 19:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.

Action-Not Available
Vendor-Jenkins
Product-github_branch_sourceJenkins GitHub Branch Source Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-57286
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.02%
||
7 Day CHG+0.01%
Published-24 Jun, 2026 | 13:20
Updated-26 Jun, 2026 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca_ and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata.

Action-Not Available
Vendor-Jenkins
Product-git_parameterJenkins Git Parameter Plugin
CWE ID-CWE-862
Missing Authorization
CVE-2026-57921
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.40%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 12:38
Updated-27 Jun, 2026 | 19:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint

Action-Not Available
Vendor-JetBrains s.r.o.
Product-youtrackYouTrack
CWE ID-CWE-862
Missing Authorization
CVE-2026-42051
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 9.17%
||
7 Day CHG~0.00%
Published-09 May, 2026 | 03:37
Updated-18 May, 2026 | 13:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kirby: System API endpoint leaks license data and installed version to authenticated users

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, the system API endpoint leaks license data and installed version to authenticated users. This issue has been patched in versions 4.9.0 and 5.4.0.

Action-Not Available
Vendor-getkirbygetkirby
Product-kirbykirby
CWE ID-CWE-862
Missing Authorization
CVE-2026-58373
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.20% / 10.42%
||
7 Day CHG~0.00%
Published-30 Jun, 2026 | 15:58
Updated-02 Jul, 2026 | 17:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CVAT < 2.69.0 - Missing Authorization on Quality Reports parent_id Filter Leaks Cross-Organization Report Existence

CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.

Action-Not Available
Vendor-cvat-ai
Product-cvat
CWE ID-CWE-862
Missing Authorization
CVE-2026-57622
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.26% / 17.20%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:53
Updated-26 Jun, 2026 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WPCafe plugin <= 3.0.14 - Broken Access Control vulnerability

Subscriber Broken Access Control in WPCafe <= 3.0.14 versions.

Action-Not Available
Vendor-Arraytics
Product-WPCafe
CWE ID-CWE-862
Missing Authorization
CVE-2023-50850
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.36% / 27.96%
||
7 Day CHG+0.01%
Published-31 Dec, 2024 | 12:46
Updated-28 Apr, 2026 | 16:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Woo Subscriptions plugin < 5.8.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Woo WooCommerce Subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Subscriptions: from n/a before 5.8.0.

Action-Not Available
Vendor-WooCommerce
Product-WooCommerce Subscriptions
CWE ID-CWE-862
Missing Authorization
CVE-2026-57649
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 11.55%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:53
Updated-26 Jun, 2026 | 21:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Shoppable Images Lite plugin <= 1.3 - Broken Access Control vulnerability

Subscriber Broken Access Control in Shoppable Images Lite <= 1.3 versions.

Action-Not Available
Vendor-studiowombat
Product-Shoppable Images Lite
CWE ID-CWE-862
Missing Authorization
CVE-2026-55838
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.71%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 19:57
Updated-27 Jun, 2026 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RustFS: Missing admin authorization on /rustfs/admin/v3/metrics allows any authenticated user to read server metrics

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validate_admin_request to enforce admin-action IAM checks; the MetricsHandler skips this call entirely. A restricted IAM user whose policy grants only access to their own bucket can read server-wide operational metrics including disk I/O statistics, network throughput, scanner cycle timing, and cluster RPC state.

Action-Not Available
Vendor-rustfs
Product-rustfs
CWE ID-CWE-862
Missing Authorization
CVE-2026-53439
Matching Score-4
Assigner-Jenkins Project
ShareView Details
Matching Score-4
Assigner-Jenkins Project
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 14.25%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 13:06
Updated-11 Jun, 2026 | 13:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Missing permission checks in Jenkins 2.567 and earlier, LTS 2.555.2 and earlier allow attackers with Overall/Read permission to determine other users' configured timezone and to enumerate view names of other users' "My Views".

Action-Not Available
Vendor-Jenkins
Product-jenkinsJenkins
CWE ID-CWE-862
Missing Authorization
CVE-2020-12698
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.78% / 51.37%
||
7 Day CHG~0.00%
Published-13 May, 2020 | 12:41
Updated-04 Aug, 2024 | 12:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Control for newsletter subscriber tables.

Action-Not Available
Vendor-dkdn/a
Product-direct_mailn/a
CWE ID-CWE-862
Missing Authorization
CVE-2026-49288
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.71%
||
7 Day CHG~0.00%
Published-19 Jun, 2026 | 18:11
Updated-22 Jun, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Statamic CMS missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content, asset metadata, and the existence of users, roles, and groups. No data could be modified. This has been fixed in 5.73.23 and 6.20.0.

Action-Not Available
Vendor-statamic
Product-cms
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-48971
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 13.89%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 11:53
Updated-27 May, 2026 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Product Import Export for WooCommerce plugin <= 2.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Import Export for WooCommerce: from n/a through 2.5.6.

Action-Not Available
Vendor-WebToffee
Product-Product Import Export for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-49051
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.53%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 14:53
Updated-27 May, 2026 | 15:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Meta and Date Remover plugin <= 2.3.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Meta and Date Remover: from n/a through 2.3.6.

Action-Not Available
Vendor-Prasad Kirpekar
Product-WP Meta and Date Remover
CWE ID-CWE-862
Missing Authorization
CVE-2026-47728
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.49%
||
7 Day CHG~0.00%
Published-26 May, 2026 | 16:16
Updated-26 May, 2026 | 17:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bugsink: Project scoping missing in sourcemap and debug-file lookup

Bugsink is a self-hosted error tracking tool. Prior to 2.2.0, Bugsink resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for another project in the same Bugsink instance, if the same debug ID was referenced. This vulnerability is fixed in 2.2.0.

Action-Not Available
Vendor-bugsink
Product-bugsink
CWE ID-CWE-862
Missing Authorization
CVE-2026-45442
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.76%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 10:54
Updated-19 May, 2026 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Presto Player plugin <= 4.1.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3.

Action-Not Available
Vendor-Brainstorm Force
Product-Presto Player
CWE ID-CWE-862
Missing Authorization
CVE-2026-45007
Matching Score-4
Assigner-VulnCheck
ShareView Details
Matching Score-4
Assigner-VulnCheck
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 12.60%
||
7 Day CHG~0.00%
Published-15 May, 2026 | 18:36
Updated-28 May, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
phpMyFAQ - Missing Permission Check on 12 Configuration API Endpoints Allows Information Disclosure

phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT). Any authenticated user can enumerate system configuration metadata including permission model, cache backend, mail provider, and translation provider by querying /admin/api/configuration endpoints, violating least privilege access control.

Action-Not Available
Vendor-Thorsten Rinne (phpMyFAQ)
Product-phpmyfaq
CWE ID-CWE-862
Missing Authorization
CVE-2026-42648
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.04%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 10:40
Updated-12 May, 2026 | 11:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Spectra plugin <= 2.19.22 - Broken Access Control vulnerability

Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.22.

Action-Not Available
Vendor-Brainstorm Force
Product-Spectra
CWE ID-CWE-862
Missing Authorization
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 11
  • 12
  • Next
Details not found