Total
1318 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-20114 | 1 Cisco | 2 Unified Contact Center Express, Unified Intelligence Center | 2026-02-26 | 4.3 Medium |
| A vulnerability in the API of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to perform a horizontal privilege escalation attack on an affected system. This vulnerability is due to insufficient validation of user-supplied parameters in API requests. An attacker could exploit this vulnerability by submitting crafted API requests to an affected system to execute an insecure direct object reference attack. A successful exploit could allow the attacker to access specific data that is associated with different users on the affected system. | ||||
| CVE-2025-22422 | 1 Google | 1 Android | 2026-02-26 | 7.8 High |
| In multiple locations, there is a possible way to mislead a user into approving an authentication prompt for one app when its result will be used in another due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-2697 | 1 Tenable | 1 Security Center | 2026-02-26 | 6.3 Medium |
| An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter. | ||||
| CVE-2026-2698 | 1 Tenable | 1 Security Center | 2026-02-26 | 6.5 Medium |
| An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope. | ||||
| CVE-2026-3185 | 2 Feiyuchuixue, Szadmin | 2 Sz-boot-parent, Sz-boot-parent | 2026-02-26 | 5.3 Medium |
| A vulnerability was found in feiyuchuixue sz-boot-parent up to 1.3.2-beta. Affected is an unknown function of the file /api/admin/sys-message/ of the component API Endpoint. The manipulation of the argument messageId results in authorization bypass. The attack can be launched remotely. The exploit has been made public and could be used. Upgrading to version 1.3.3-beta is able to address this issue. The patch is identified as aefaabfd7527188bfba3c8c9eee17c316d094802. The affected component should be upgraded. The project was informed beforehand and acted very professional: "We have implemented message ownership verification, so that users can only query messages related to themselves." | ||||
| CVE-2025-36365 | 1 Ibm | 1 Db2 | 2026-02-26 | 6.8 Medium |
| IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. | ||||
| CVE-2025-40541 | 1 Solarwinds | 1 Serv-u | 2026-02-26 | 9.1 Critical |
| An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default. | ||||
| CVE-2025-14742 | 2 Brechtvds, Wordpress | 2 Wp Recipe Maker, Wordpress | 2026-02-26 | 4.3 Medium |
| The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access. | ||||
| CVE-2025-15582 | 1 Detronetdip | 1 E-commerce | 2026-02-26 | 5.4 Medium |
| A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | ||||
| CVE-2025-68514 | 2 Cozmoslabs, Wordpress | 2 Paid Member Subscriptions, Wordpress | 2026-02-25 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.16.8. | ||||
| CVE-2025-68051 | 2 Shiprocket, Wordpress | 2 Shiprocket, Wordpress | 2026-02-25 | 7.4 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Shiprocket Shiprocket shiprocket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shiprocket: from n/a through <= 2.0.8. | ||||
| CVE-2023-36483 | 1 Honeywell | 2 Masmobile Asp.net Services, Masmobile Classic | 2026-02-25 | 6.5 Medium |
| Authorization bypass can be achieved by session ID prediction in MASmobile Classic Android version 1.16.18 and earlier and MASmobile Classic iOS version 1.7.24 and earlier which allows remote attackers to retrieve sensitive data including customer data, security system status, and event history. | ||||
| CVE-2023-46446 | 2 Asyncssh Project, Redhat | 2 Asyncssh, Ceph Storage | 2026-02-25 | 6.8 Medium |
| An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | ||||
| CVE-2026-22383 | 2 Mikado-themes, Wordpress | 2 Pawfriends - Pet Shop And Veterinary Wordpress Theme, Wordpress | 2026-02-25 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3. | ||||
| CVE-2022-2824 | 1 Open-emr | 1 Openemr | 2026-02-25 | 8.8 High |
| Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1. | ||||
| CVE-2025-65097 | 2 Romm.app, Rommapp | 2 Romm, Romm | 2026-02-24 | 6.5 Medium |
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | ||||
| CVE-2025-65096 | 2 Romm.app, Rommapp | 2 Romm, Romm | 2026-02-24 | 4.3 Medium |
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2. | ||||
| CVE-2025-12919 | 1 Evershop | 1 Evershop | 2026-02-24 | 3.7 Low |
| A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-24776 | 1 Openproject | 1 Openproject | 2026-02-23 | 4.3 Medium |
| OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2. | ||||
| CVE-2026-2997 | 1 Wisdomgarden | 1 Tronclass | 2026-02-23 | 5.4 Medium |
| Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability. After obtaining a course ID, authenticated remote attackers to modify a specific parameter to obtain a course invitation code, thereby joining any course. | ||||