Total
1566 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-4040 | 2026-04-15 | 7.1 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Turpak Automatic Station Monitoring System allows Privilege Escalation.This issue affects Automatic Station Monitoring System: before 5.0.6.51. | ||||
| CVE-2024-30507 | 2026-04-15 | 2.7 Low | ||
| Authorization Bypass Through User-Controlled Key vulnerability in Molongui.This issue affects Molongui: from n/a through 4.7.7. | ||||
| CVE-2025-4129 | 2026-04-15 | 7.5 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in PAVO Inc. PAVO Pay allows Exploitation of Trusted Identifiers.This issue affects PAVO Pay: before 13.05.2025. | ||||
| CVE-2023-32189 | 2026-04-15 | 5.9 Medium | ||
| Insecure handling of ssh keys used to bootstrap clients allows local attackers to potentially gain access to the keys | ||||
| CVE-2025-6942 | 1 Delinea | 1 Secret Server | 2026-04-15 | 3.8 Low |
| The distributed engine versions 8.4.39.0 and earlier of Secret Server versions 11.7.49 and earlier can be exploited during an initial authorization event that would allow an attacker to impersonate another distributed engine. | ||||
| CVE-2024-43350 | 1 Propovoice | 1 Propovoice Crm | 2026-04-15 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Propovoice Propovoice CRM.This issue affects Propovoice CRM: from n/a through 1.7.6.4. | ||||
| CVE-2025-14881 | 1 Pretix | 1 Pretix | 2026-04-15 | N/A |
| Multiple API endpoints allowed access to sensitive files from other users by knowing the UUID of the file that were not intended to be accessible by UUID only. | ||||
| CVE-2025-41358 | 1 Cronosweb I2a | 1 Cronosweb | 2026-04-15 | N/A |
| Direct Object Reference Vulnerability (IDOR) in i2A's CronosWeb, in versions prior to 25.00.00.12, inclusive. This vulnerability could allow an authenticated attacker to access other users' documents by manipulating the ‘documentCode’ parameter in '/CronosWeb/Modulos/Personas/DocumentosPersonales/AdjuntarDocumentosPersonas'. | ||||
| CVE-2024-38827 | 2026-04-15 | 4.8 Medium | ||
| The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. | ||||
| CVE-2025-0640 | 1 Akinsoft | 1 Octocloud | 2026-04-15 | 4.7 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Akinsoft OctoCloud allows Resource Leak Exposure.This issue affects OctoCloud: from s1.09.02 before v1.11.01. | ||||
| CVE-2024-9554 | 1 Sovell | 1 Smart Canteen System | 2026-04-15 | 3.7 Low |
| A vulnerability classified as problematic was found in Sovell Smart Canteen System up to 3.0.7303.30513. Affected by this vulnerability is the function Check_ET_CheckPwdz201 of the file suanfa.py of the component Password Reset Handler. The manipulation leads to authorization bypass. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-22439 | 2026-04-15 | 6.9 Medium | ||
| A potential security vulnerability has been identified in HPE FlexFabric and FlexNetwork series products. This vulnerability could be exploited to gain privileged access to switches resulting in information disclosure. | ||||
| CVE-2026-1271 | 2 Metagauss, Wordpress | 2 Profilegrid, Wordpress | 2026-04-15 | 5.3 Medium |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators. | ||||
| CVE-2024-34520 | 2026-04-15 | 8.8 High | ||
| An authorization bypass vulnerability exists in the Mavenir SCE Application Provisioning Portal, version PORTAL-LBS-R_1_0_24_0, which allows an authenticated 'guest' user to perform unauthorized administrative actions, such as accessing the 'add user' feature, by bypassing client-side access controls. | ||||
| CVE-2024-10775 | 2026-04-15 | 4.3 Medium | ||
| The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.4.32 via the 'pafe-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. | ||||
| CVE-2024-39642 | 1 Thimpress | 1 Learnpress | 2026-04-15 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in ThimPress LearnPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LearnPress: from n/a through 4.2.6.8.2. | ||||
| CVE-2025-34140 | 2026-04-15 | N/A | ||
| An authorization bypass vulnerability exists in ETQ Reliance (legacy CG and NXG SaaS platforms). By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration in API authorization logic, which has since been corrected in SE.2025.1 and 2025.1.2. | ||||
| CVE-2025-14459 | 1 Redhat | 1 Container Native Virtualization | 2026-04-15 | 8.5 High |
| A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. | ||||
| CVE-2025-69752 | 1 Ideagen | 1 Q-pulse | 2026-04-15 | 4.3 Medium |
| An issue in the "My Details" user profile functionality of Ideagen Q-Pulse 7.1.0.32 allows an authenticated user to view other users' profile information by modifying the objectKey HTTP parameter in the My Details page URL. | ||||
| CVE-2026-2230 | 2 Wordpress, Wpdevelop | 2 Wordpress, Booking Calendar | 2026-04-15 | 4.3 Medium |
| The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user. | ||||