Search Results (5666 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-20909 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 5.3 Medium
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries.
CVE-2026-24451 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea 1.26.2 allows fork synchronization to continue after a parent repository changes from public to private, exposing data to a fork that should no longer be authorized.
CVE-2026-24690 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea versions before 1.25.5 have insufficient permission checks for updating or rebasing pull request branches.
CVE-2026-12375 2026-07-07 9.8 Critical
The uncanny-automator-pro WordPress plugin before 7.3.0.6 was distributed with malicious code after the vendor's uncanny-automator-pro WordPress plugin before 7.3.0.6 update/distribution infrastructure was compromised; the injected backdoor grants unauthenticated attackers an administrator session on affected sites and beacons the site's secret keys and administrator details to attacker-controlled servers.
CVE-2026-25712 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea versions before 1.25.5 have insufficient visibility checks in organization permission APIs for hidden members and private organizations.
CVE-2026-26247 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 9.1 Critical
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
CVE-2026-26292 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 9.8 Critical
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
CVE-2026-27660 1 Gitea 1 Gitea Open Source Git Server 2026-07-07 7.5 High
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.
CVE-2026-54765 1 Traefik 1 Traefik 2026-07-07 N/A
Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only one route's filter set to all requests reaching that backend. In Gateway deployments where backendRef filters set security-sensitive headers, such as tenant identity, authorization context, or values the backend trusts, an attacker who can create an accepted HTTPRoute sharing the same backend Service:port may cause their route's filter context to be applied to another route's requests, potentially crossing namespace boundaries when a ReferenceGrant permits cross-namespace targeting. This issue is fixed in version v3.7.6.
CVE-2026-14792 1 Formbricks 1 Formbricks 2026-07-07 6.5 Medium
A security vulnerability has been detected in Formbricks 5.0.0. This impacts an unknown function of the file apps/web/modules/survey/link/actions.ts of the component Survey Handler. The manipulation leads to improper access controls. Remote exploitation of the attack is possible. Upgrading to version 5.1.0-rc.1 will fix this issue. The identifier of the patch is af6023b5ac3b030ffcea24fac799f76f3e3512c6. You should upgrade the affected component.
CVE-2026-14775 1 Sourcecodester 2 Onlne Examination & Learning Management System, Onlne Examination Learning Management System 2026-07-07 6.3 Medium
A vulnerability was identified in SourceCodester Onlne Examination & Learning Management System 1.0. Affected is an unknown function of the file /process_lesson.php. Such manipulation of the argument user_id leads to unrestricted upload. The attack may be launched remotely. The exploit is publicly available and might be used. The name of the affected product appears to have a typo in it.
CVE-2026-58523 1 Microsoft 1 Edge Chromium 2026-07-07 6.5 Medium
Improper access control in Microsoft Edge for Android allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-58286 1 Microsoft 1 Edge Chromium 2026-07-07 8.1 High
Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-20706 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 9.1 Critical
Gitea versions up to and including 1.26.1 allow repository archive downloads to bypass token scope checks on the web archive download endpoint.
CVE-2026-22555 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.1 High
Gitea versions before 1.26.0 allow API users to fork a repository into an organization without first passing the CanCreateOrgRepo check, which can expose organization secrets.
CVE-2026-27779 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 7.5 High
Gitea versions before 1.25.5 accept malformed or injected forwarded-proto values when detecting public URLs, allowing spoofed canonical URL generation.
CVE-2026-28699 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 8.1 High
Gitea versions up to and including 1.26.1 allow OAuth2 access token scope enforcement to be bypassed through HTTP Basic authentication.
CVE-2026-58421 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 7.5 High
Unauthenticated ReDoS via CODEOWNERS pattern matching allows denial of service
CVE-2026-58422 1 Gitea 1 Gitea Open Source Git Server 2026-07-06 9.8 Critical
Improper authorization on OAuth sign-in callback silently re-enables administrator-disabled accounts
CVE-2026-11887 2 Salonbookingsystem, Wordpress 2 Salon Booking System, Wordpress 2026-07-06 4.3 Medium
The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such as a subscriber, to modify a Salon Booking System WordPress plugin before 10.30.20 setting and bypass the manual approval of new bookings.