Export limit exceeded: 11708 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11708 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-46772 | 1 Oracle | 1 Application Development Framework | 2026-06-17 | 4.7 Medium |
| Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data as well as unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N). | ||||
| CVE-2026-48783 | 1 Gitroomhq | 1 Postiz-app | 2026-06-17 | 4.8 Medium |
| Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The endpoint, /public/modify-subscription, could not change the persisted subscription tier, but it did execute enforcement-related side effects on the caller's own organization, including adjusting team-member enablement state, disabling integrations exceeding the asserted plan's limits, and resetting the scheduled-post cron when the asserted plan was the free tier. Impact is limited to the attacker's own organization and cannot be redirected at other tenants through this endpoint. This issue has been fixed in version 2.21.8. | ||||
| CVE-2026-0133 | 1 Google | 1 Android | 2026-06-17 | 7.8 High |
| In smmu_attach_dev of arm-smmu-v3.c, there is a possible way to sign malicious Android Runtime bootclass artifacts due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-24709 | 2 Shareaholic, Wordpress | 2 Shareaholic, Wordpress | 2026-06-17 | 4.3 Medium |
| Missing Authorization vulnerability in Shareaholic allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shareaholic: from n/a through 9.7.11. | ||||
| CVE-2026-32967 | 1 Apache | 1 Dolphinscheduler | 2026-06-17 | 6.5 Medium |
| Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | ||||
| CVE-2026-24611 | 2 Wordpress, Wpmet | 2 Wordpress, Metform Pro | 2026-06-17 | 9.1 Critical |
| Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions. | ||||
| CVE-2026-24610 | 2 Wordpress, Wpmet | 2 Wordpress, Metform Pro | 2026-06-17 | 4.3 Medium |
| Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions. | ||||
| CVE-2026-39595 | 2 Boldgrid, Wordpress | 2 W3 Total Cache, Wordpress | 2026-06-17 | 4.7 Medium |
| Author Broken Access Control in W3 Total Cache <= 2.9.1 versions. | ||||
| CVE-2026-40723 | 2 Bricks, Wordpress | 2 Bricks Builder, Wordpress | 2026-06-17 | 4.3 Medium |
| Subscriber Broken Access Control in Bricks Builder <= 2.1.4 versions. | ||||
| CVE-2026-24575 | 2 Wishlist Member, Wordpress | 2 Wishlist Member X, Wordpress | 2026-06-17 | 4.3 Medium |
| Subscriber Broken Access Control in WishList Member X <= 3.29.0 versions. | ||||
| CVE-2024-32949 | 2 Prince, Wordpress | 2 Integrate Google Drive, Wordpress | 2026-06-17 | 8.3 High |
| Missing Authorization vulnerability in Prince Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through 1.3.8. | ||||
| CVE-2024-33909 | 2 Avirtum, Wordpress | 2 Ipages Flipbook, Wordpress | 2026-06-17 | 5.3 Medium |
| Missing Authorization vulnerability in Avirtum iPages Flipbook allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iPages Flipbook: from n/a through 1.5.1. | ||||
| CVE-2026-26237 | 2 Qnap, Qnap Systems | 2 Qumagie, Qumagie | 2026-06-17 | 7.5 High |
| A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later | ||||
| CVE-2026-26236 | 2 Qnap, Qnap Systems | 2 Qumagie, Qumagie | 2026-06-17 | 7.5 High |
| A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later | ||||
| CVE-2026-24724 | 2 Qnap, Qnap Systems | 2 File Station, File Station 5 | 2026-06-17 | 8.1 High |
| An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later | ||||
| CVE-2026-53851 | 1 Openclaw | 1 Openclaw | 2026-06-16 | 5.3 Medium |
| OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled, potentially leading to unauthorized processing of lower-trust input. | ||||
| CVE-2026-53844 | 1 Openclaw | 1 Openclaw | 2026-06-16 | 6.5 Medium |
| OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory entries that should not be visible to their session. | ||||
| CVE-2026-53853 | 1 Openclaw | 1 Openclaw | 2026-06-16 | 8.3 High |
| OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution. | ||||
| CVE-2026-53850 | 1 Openclaw | 1 Openclaw | 2026-06-16 | 5.5 Medium |
| OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended caller authority, potentially enabling unauthorized operations depending on gateway configuration and input trust levels. | ||||
| CVE-2026-44173 | 1 Mariadb | 2 Mariadb, Server | 2026-06-16 | 5 Medium |
| MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2. | ||||