Search Results (11588 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-31281 2 Church Admin Project, Wordpress 2 Church Admin, Wordpress 2026-04-23 6.3 Medium
Missing Authorization vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.1.6.
CVE-2024-31246 1 Wpxpo 1 Postx 2026-04-23 5.4 Medium
Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 3.2.3.
CVE-2024-30534 1 Typps 1 Calendarista 2026-04-23 6.5 Medium
Missing Authorization vulnerability in typps Calendarista Basic Edition calendarista-basic-edition.This issue affects Calendarista Basic Edition: from n/a through <= 3.0.5.
CVE-2024-30529 1 Tainacan 1 Tainacan 2026-04-23 5.3 Medium
Missing Authorization vulnerability in tainacan Tainacan tainacan.This issue affects Tainacan: from n/a through <= 0.20.7.
CVE-2024-30505 2 Church Admin Project, Wordpress 2 Church Admin, Wordpress 2026-04-23 5.4 Medium
Missing Authorization vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.1.18.
CVE-2024-27950 1 Sirv 1 Sirv 2026-04-23 5.4 Medium
Missing Authorization vulnerability in Sirv CDN and Image Hosting Sirv sirv.This issue affects Sirv: from n/a through <= 7.2.0.
CVE-2024-24833 1 Leevio 1 Happy Addons For Elementor 2026-04-23 4.3 Medium
Missing Authorization vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons.This issue affects Happy Addons for Elementor: from n/a through <= 3.10.1.
CVE-2023-50904 2 Ays-pro, Poll Maker Team 2 Poll Maker, Poll Maker 2026-04-23 5.3 Medium
Missing Authorization vulnerability in Ays Pro Poll Maker poll-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through <= 4.8.0.
CVE-2023-49857 2 Awesomesupport, Getawesomesupport 2 Awesome Support Wordpress Helpdesk \& Support, Awesome Support 2026-04-23 6.5 Medium
Missing Authorization vulnerability in awesomesupport Awesome Support awesome-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Awesome Support: from n/a through <= 6.1.7.
CVE-2023-49831 1 Metagauss 1 Registrationmagic 2026-04-23 7.5 High
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through <= 5.2.3.0.
CVE-2023-49757 1 Getawesomesupport 1 Awesome Support 2026-04-23 5.4 Medium
Missing Authorization vulnerability in awesomesupport Awesome Support awesome-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Awesome Support: from n/a through <= 6.1.10.
CVE-2023-48324 1 Getawesomesupport 1 Awesome Support 2026-04-23 5.4 Medium
Missing Authorization vulnerability in awesomesupport Awesome Support awesome-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Awesome Support: from n/a through <= 6.1.4.
CVE-2023-47807 1 10web 1 10webanalytics 2026-04-23 4.3 Medium
Missing Authorization vulnerability in 10Web 10WebAnalytics wd-google-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through <= 1.2.12.
CVE-2023-45766 1 Ays-pro 1 Poll Maker 2026-04-23 5.3 Medium
Missing Authorization vulnerability in Ays Pro Poll Maker poll-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through <= 4.7.1.
CVE-2023-45765 1 Wedevs 1 Wp Erp 2026-04-23 4.3 Medium
Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.12.6.
CVE-2026-35464 1 Pyload 1 Pyload 2026-04-23 7.5 High
pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMIN_ONLY_OPTIONS set to block non-admin users from modifying security-critical config options. The storage_folder option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the Flask filesystem session store, plant a malicious pickle payload as a predictable session file, and trigger arbitrary code execution when any HTTP request arrives with the corresponding session cookie. This vulnerability is fixed with commit c4cf995a2803bdbe388addfc2b0f323277efc0e1.
CVE-2026-34082 2 Dify, Langgenius 2 Dify, Dify 2026-04-23 4.3 Medium
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue.
CVE-2026-39957 1 Lycheeorg 1 Lychee 2026-04-23 4.3 Medium
Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll() causes the orWhereNotNull('user_group_id') clause to escape the ownership filter applied by the when() block. Any authenticated non-admin user with upload permission who owns at least one album can retrieve all user-group-based sharing permissions across the entire instance, including private albums owned by other users. This vulnerability is fixed in 7.5.4.
CVE-2026-5756 1 Data Recognition Corporation 1 Central Office Services - Content Hosting Component 2026-04-23 7.5 High
Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services.
CVE-2026-25058 2 Vexa, Vexa-ai 2 Vexa, Vexa 2026-04-23 7.5 High
Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint `GET /internal/transcripts/{meeting_id}` that returns transcript data for any meeting without any authentication or authorization checks. An unauthenticated attacker can enumerate all meeting IDs, access any user's meeting transcripts without credentials, and steal confidential business conversations, passwords, and/or PII. Version 0.10.0-260419-1910 patches the issue.