| CVE-2026-56215 |
2026-06-20 |
Capgo before 12.128.12 allows authenticated users to modify their mutable public.users.email to arbitrary addresses, which the SSO provisioning endpoint trusts as an account-merge key. Attackers can p… |
| CVE-2026-49339 |
2026-06-19 |
gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit `6dd71e6a3c966867ef8c900d359a7df75789f410` added an ownership check based on `play… |
| CVE-2026-49338 |
2026-06-19 |
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints `/rest/deletePlaylist.view` and `/rest/getPlaylist.view` perfo… |
| CVE-2026-54105 |
2026-06-18 |
The U.S. Government Accountability Office (GAO) Electronic Protest Docketing System (EPDS) and Civilian Board of Contract Appeals (CBCA) Electronic Docketing System (EDS) expose sensitive account info… |
| CVE-2026-50141 |
2026-06-18 |
Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the… |
| CVE-2026-12102 |
2026-06-18 |
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and … |
| CVE-2026-10623 |
2026-06-18 |
The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'r… |
| CVE-2026-10023 |
2026-06-18 |
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and… |
| CVE-2026-48759 |
2026-06-17 |
TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThem… |
| CVE-2026-50194 |
2026-06-17 |
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 a… |
| CVE-2026-53863 |
2026-06-16 |
OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could tr… |
| CVE-2026-10780 |
2026-06-16 |
The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the static_block_content() shortcode handler retrievin… |
| CVE-2026-48599 |
2026-06-15 |
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting valu… |
| CVE-2026-52699 |
2026-06-15 |
Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions. |
| CVE-2026-48872 |
2026-06-15 |
Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions. |
| CVE-2026-48868 |
2026-06-15 |
Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions. |
| CVE-2026-40792 |
2026-06-15 |
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions. |
| CVE-2026-39518 |
2026-06-15 |
Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions. |
| CVE-2025-59133 |
2026-06-15 |
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions. |
| CVE-2026-12204 |
2026-06-15 |
A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of t… |