Total
6977 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0511 | 1 Sap | 1 Fiori | 2026-02-26 | 8.1 High |
| SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has high impact on confidentiality and integrity of the application ,availability is not impacted. | ||||
| CVE-2025-11669 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2026-02-26 | 8.1 High |
| Zohocorp ManageEngine PAM360 versions before 8202; Password Manager Pro versions before 13221; Access Manager Plus versions prior to 4401 are vulnerable to an authorization issue in the initiate remote session functionality. | ||||
| CVE-2026-0488 | 2 Sap, Sap Se | 4 Netweaver Application Server Abap, S\/4hana, Webclient Ui Framework and 1 more | 2026-02-26 | 9.9 Critical |
| An authenticated attacker in SAP CRM and SAP S/4HANA (Scripting Editor) could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This leads to a full database compromise with high impact on confidentiality, integrity, and availability. | ||||
| CVE-2026-20626 | 1 Apple | 5 Ios And Ipados, Ipados, Iphone Os and 2 more | 2026-02-26 | 7.8 High |
| This issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.4, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. A malicious app may be able to gain root privileges. | ||||
| CVE-2026-26358 | 1 Dell | 2 Powermax Os, Unisphere For Powermax | 2026-02-26 | 8.8 High |
| Dell Unisphere for PowerMax, version(s) 10.2, contain(s) a Missing Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | ||||
| CVE-2025-30416 | 1 Acronis | 2 Acronis Cyber Protect 15, Acronis Cyber Protect 16 | 2026-02-26 | N/A |
| Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800. | ||||
| CVE-2026-22765 | 1 Dell | 1 Wyse Management Suite | 2026-02-26 | 8.8 High |
| Dell Wyse Management Suite, versions prior to WMS 5.5, contain a Missing Authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of Privileges. | ||||
| CVE-2026-1916 | 2 Javmah, Wordpress | 2 Spreadsheet Integration, Wordpress | 2026-02-26 | 7.5 High |
| The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin user ID and email) to create, modify, and delete arbitrary WordPress posts and pages, granted they know the administrator's email address and an active integration ID with remote updates enabled. | ||||
| CVE-2026-2301 | 2 Metaphorcreations, Wordpress | 2 Post Duplicator, Wordpress | 2026-02-26 | 4.3 Medium |
| The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys on duplicated posts via the `customMetaData` JSON array parameter in the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint. | ||||
| CVE-2026-28195 | 1 Jetbrains | 1 Teamcity | 2026-02-26 | 4.3 Medium |
| In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations | ||||
| CVE-2025-15563 | 1 Nestersoft | 1 Worktime | 2026-02-26 | 5.3 Medium |
| Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here. | ||||
| CVE-2025-67973 | 2 Sunshinephotocart, Wordpress | 2 Sunshine Photo Cart, Wordpress | 2026-02-25 | 6.5 Medium |
| Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.6.2. | ||||
| CVE-2025-67969 | 2 Knitpay, Wordpress | 2 Upi Qr Code Payment Gateway For Woocommerce, Wordpress | 2026-02-25 | 6.5 Medium |
| Missing Authorization vulnerability in knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UPI QR Code Payment Gateway for WooCommerce: from n/a through <= 1.5.1. | ||||
| CVE-2025-67547 | 2 Uixthemes, Wordpress | 2 Konte, Wordpress | 2026-02-25 | 6.5 Medium |
| Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through <= 2.4.6. | ||||
| CVE-2025-14339 | 2 Wedevs, Wordpress | 2 Wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins, Wordpress | 2026-02-25 | 6.5 Medium |
| The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint. | ||||
| CVE-2025-68025 | 2 Addonify, Wordpress | 2 Addonify Floating Cart For Woocommerce, Wordpress | 2026-02-25 | 6.5 Medium |
| Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify Floating Cart For WooCommerce: from n/a through <= 1.2.17. | ||||
| CVE-2025-68023 | 2 Addonify, Wordpress | 2 Addonify – Compare Products For Woocommerce, Wordpress | 2026-02-25 | 6.5 Medium |
| Missing Authorization vulnerability in Addonify Addonify – Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – Compare Products For WooCommerce: from n/a through <= 1.1.17. | ||||
| CVE-2025-68021 | 2 Conveythis, Wordpress | 2 Conveythis, Wordpress | 2026-02-25 | 6.5 Medium |
| Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.5. | ||||
| CVE-2025-67994 | 2 Wordpress, Yaycommerce | 2 Wordpress, Yaycurrency | 2026-02-25 | 7.5 High |
| Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3. | ||||
| CVE-2025-67975 | 2 Adirectory, Wordpress | 2 Adirectory, Wordpress | 2026-02-25 | 6.5 Medium |
| Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3. | ||||